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Preface 



This volume contains the proceedings of the 22nd International Conference on 
Application and Theory of Petri Nets. The aim of the Petri net conferences is to 
create a forum for discussing progress in the application and theory of Petri nets. 
Typically, the conferences have 100-150 participants - one third of these coming 
from industry while the rest are from universities and research institutions. The 
conferences always take place in the last week of June. 

This year the conference was organized jointly with the 2nd International 
Conference on Application of Concurrency to System Design (ICACSD 2001). 
The two conferences shared the invited lectures and the social program. 

The conference and a number of other activities are co-ordinated by a steering 
committee with the following members: G. Balbo (Italy), J. Billington (Austra- 
lia), G. De Michelis (Italy), C. Girault (France), K. Jensen (Denmark), S. Ku- 
magai (Japan), T. Murata (USA), C.A. Petri (Germany; honorary member), 
W. Reisig (Germany), G. Rozenberg (The Netherlands; chairman), and M. Silva 
(Spain). 

Other activities before and during the 2001 conference included tool demon- 
strations, a meeting on “XML Based Interchange Formats for Petri Nets”, ex- 
tensive introductory tutorials, two advanced tutorials on “Probabilistic Methods 
in Concurrency” and “Model Checking”, and two workshops on “Synthesis of 
Concurrent Systems” and “Concurrency in Dependable Computing” . The tuto- 
rial notes and workshop proceedings are not published in these proceedings, but 
copies are available from the organizers. 

The 2001 conference was organized by the Department of Computing Science 
at the University of Newcastle upon Tyne, United Kingdom. We would like to 
thank the members of the organizing committee (see next page) and their teams. 

We would like to thank very much all those who submitted papers to the Petri 
net conference. We received a total of 48 submissions from 21 different countries. 
This volume comprises the papers that were accepted for presentation. Invited 
lectures were given by S. Donatelli, R. Milner, and M. Nielsen (whose papers 
are included in this volume), and G. Holzmann, J. Kramer, and A. Sangiovanni- 
Vincentelli (whose papers are included in the proceedings of ICACSD 2001). 

The submitted papers were evaluated by a program committee. The program 
committee meeting took place in Newcastle upon Tyne, United Kingdom. We 
would like to express our gratitude to the members of the program committee, 
and to all the referees who assisted them. The names of these are listed on the 
following pages. 

We would like to acknowledge the local support of J. Dersley, D. Faulder, 
P. Jacques, L. Marshall, and R. Poat. Finally, we would like to mention the ex- 
cellent co-operation with Springer- Ver lag during the preparation of this volume. 
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Kronecker Algebra and (Stochastic) Petri Nets: 
Is It Worth the Effort? 



Susanna Donatelli 

Dip. di Informatica, Universita di Torino, Corso Svizzera 185, 10149 Torino, Italy 

susiSdi .unite . it 



Abstract. The paper discusses the impact that Kronecker algebra had 
and it is having on the solution of SPN, how this has influenced not 
only the solution of the stochastic process associated to an SPN, but 
also the algorithms and the data structures for reachability of untimed 
Petri nets. Special emphasis is put in trying to clarify the advantages 
and disadvantages of Kronecker based approach, in terms of computa- 
tional complexity, memory savings and applicability to the solution of 
real systems models. 



1 Introduction 

It is well known that one of the major factors that has limited and it is limiting 
the impact of Petri nets on practical applications is the so-called “state-space 
explosion problem” , stemming from the fact that even very “innocent” nets, with 
a small number of places and transitions, can lead to very large state spaces, and 
that the construction of the state space is very often a mandatory step in proving 
model properties and reachability for untimed nets or computing performance 
indices for stochastic Petri nets. A number of counter-measures have been devised 
by different researchers, and in this paper we present one of this solution, known 
as “Kronecker-based” or “structured” method, discussing the maturity of the 
technique with respect to the range of applicability to the whole class of Petri 
nets, to the complexity of the solution and to the availability of solution tools. 

The Kronecker algebra approach was introduced in the Petri net world in the 
context of exact solution of stochastic models, to express the infinitesimal genera- 
tor Q of an SPN in terms of Qi matrices coming from some components (subnets 
of smaller state space) combined by Kronecker operators and to implement the 
solution of the characteristic steady-state solution equation tt • Q = 0 without 
computing and storing Q [bllbll YIYI2;HJ : this technique allows to move the stor- 
age bottleneck from the infinitesimal generator matrix to the probability vector. 
All the works for SPN cited above were inspired by the work of Plateau 
ITT] on Stochastic Automata Networks. The ideas presented in her work have 
been applied first to a simple subset of SPN called Superposed Stochastic Au- 
tomata ini, and later on to the larger Superposed Generalized stochastic Petri 
nets (SGSPN) class 11 7li:Tti4l . 

The approach is based on a construction of the state space in which a cer- 
tain Gartesian product of reachable states of components is performed, leading 
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eventually to a product space S that includes the actual reachability set S. Ac- 
cording to this structured view of the state space the Qi matrices can be derived, 
that form the building blocks of the Kronecker algebra formula of the complete 
infinitesimal generator. Interestingly enough, it was shown that the same 
approach can be used to describe the reachability matrix of a net starting from 
the reachability matrices of the component nets, so that Kronecker algebra con- 
stitute another example of cross-fertilization between the field of performance 
evaluation, in which the technique was initially devised, and the analysis of un- 
timed behaviour for Petri nets. 

In summary, two beneficial effects are produced by using Kronecker algebra: 
the space complexity of the solution is lowered, moving the bottleneck from 
the infinitesimal generator to the probability vector for performance evaluation 
and from reachability graph to reachability set in untimed nets, with possibly 
a gain also in time complexity (depending on the structure of the model |S|), 
moreover the existence of an expression for the infinitesimal generator and for the 
reachability matrix provides insight on the relationships between the structure 
of a GSPN and that of its underlying CTMC and reachability graph. 

The paper is organized as follows: Section 0 introduces the simple notions 
of Kronecker algebra used later in the paper, with special attention to the com- 
plexity of multiplying a vector by a matrix given as a Kronecker expression. 
Section 0 describes the use of Kronecker algebra in the field of Petri nets, while 
Section 0 summarizes problems and extensions of the method. Section 0 con- 
cludes the paper discussing whether the use of Kronecker algebra in the Petri 
net field was, and is, “worth the effort”. 



2 Preliminaries 



Kronecker algebra is an algebra defined on matrices, with a product operator 
denoted by 0, and a sum operator denoted by ©. In the following definitions we 
consider matrices on real values. 



Definition 1. Let A be a n x m matrix (A G and B be a p x q one 

(B G c is the Kronecker product of A and B and we write C = A 0 B 

iff C is an-pxm-q matrix (C G defined by: 



~ ^1-3 ~ 

with i = {ji,j 2 ), and i = (*i) ■ p + h (similarly, j = (ji) • q -|- J 2 / 

As a simple example consider the Kronecker product of a 2 x 2 matrix, with 
a 2 X 3. We have 



A = 



I aoo ooi 
\Oio ail 



B = 



/ ^00 boi bo2 

\bio bii bi2 



C = A0B = 



^ooo^oo aoobol aoobo 2 ooi^oo aoi^oi 001602 \ 
ooo6io 000611 000612 ooi6io 001611 001612 
oio6oo 010601 010602 oii6oo 011601 011602 
\oio6io 010611 010612 oii6io 011611 011612 / 
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An important matter is that there are two different ways to address a line 
(or a column) in a product matrix: either with a natural number i, with i G 
[1 . . .n-p] (j, with j G [1 ... TO • g]) or with a vector [11,12], with zi G [1 . . . n] and 
Z2 G [1 . . .p] (and analogously for columns). The transformation from i to [ii,Z2] 
is well defined since [ii,Z2] is nothing but the representation of i in the mixed 
base (n,p). 

The generalization to K matrices is immediate: Let A = {^^1 de- 
note the Kronecker product of K matrices A^ G Let n“ = 

n = . If we assume a (rii, . . . jUk) mixed-base numbering scheme, the tuple 

i = (zi, . . . ,ix) corresponds to the number (. . . ((zi)n2 -I- 12)^13 ■ ■ ■)riK + ix- A 
(toi, . . . , rriK) mixed-base numbering scheme can be similarly be associated to j. 
If we assume that z (j) is the mixed-based representation of i and j, respectively, 
the generic element of A G is 

■ “Ll ■ ■ ■ °'^kJk (^) 

The Kronecker sum is defined instead for square matrices only, in terms of the 
Kronecker product operator: 

Definition 2 . Let A be a n x n matrix, (A G 1 R""=”; and B he a p X p one 
(B G D is the Kronecker sum of A and B and we write D = A © B iff 

D is a n ■ p X n ■ p matrix (D G defined by: 



D = A©B = A©Ip + I„©B 



where lx is the x x x identity matrix. 



Let’s consider again the two matrices A and B, where A is the same as 
before, and in B the last column has been deleted. The computation of their 
Kronecker sum is: 



D = 



A © Ido = 



Idi © B = 



/ 


Ooo 


0 


Qoi 






0 


Ooo 


0 


Ooi 




OlO 


0 


Oil 


0 


V 


0 


OlO 


0 


On / 


/ 


0 

0 


^01 


0 


0 \ 




^10 


bn 


0 


0 




0 


0 


0 

0 


boi 


V 


0 


0 


^10 


bn J 


^01 




ooi 





/ Ooo + ^00 

^10 0,00 + ^11 0 

oio 0 Oil + 600 



0 

floi 

boi 



V 



0 



aio 



-*10 



ail 



\ 

/ 



The generalization to K matrices is straightforward. Let A = 
denote the Kronecker sum of K matrices G 

K K 

A= ^ ^ 0 * * * 0 A 0 lnfc_|_i 0 * * * ^ ^ 0 A . 
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2.1 Kronecker Operators and Independent Composition of Markov 
Chains 

Let us consider two independent Markov chains A4i and AI 2 , and assume that 
we know the set of reachable states of the two, 5^ and S^. Assuming that the 
two are finite, of cardinality ni and ri 2 respectively, it is a straightforward task 
to associate a number from 1 to ni ( 712 ) to each state of the first (second) model. 

If we now consider the global model A4 obtained by the parallel and inde- 
pendent composition of the two models, then a global state is a pair i = (ii, Z 2 ), 
and, if rii and ri 2 are finite, it is straightforward to associate to i the number 
i = • 712 -I- *2- 

In general, if we have K models Alfc, each of state space 5^, of Uk states 
each, then the state space of the model Al, obtained by the independent parallel 
composition of the K models, is the Cartesian product of the state spaces: 

5 = X ...5*^ 

and the number of states is: 

K 

= |5| = J]^7lfc 
fc=l 

Again, each state is either the number i or as the vector i of size K. 

In case of square matrices, if A and B are interpreted as state transition 
matrices of two discrete time Markov chains, it is immediate to recognize (see 
Davio in m that C = A 0 B is the transition probabilities matrix of the pro- 
cess obtained as independent composition of the two original processes. Indeed, 
for the global system to move from i = (fi, . . . , ix) to j = (ji, . . . ,Jk) each 
component k has to move from ik to jk at the same time step, and this indeed 
happens with a probability that is the product of the probabilities of the local 
moves. 

Again if we consider A and B as the infinitesimal generator of two continuous 
time Markov chains, then D = A © B is the infinitesimal generator of the 
process obtained by independent composition of the two original ones. Indeed 
the behaviour of the independent composition of 2 CTMC is the sum of two 
terms: the first CTMC moves while, at the same time, the second one does not 
move (A © Ip) or viceversa (I„ © B). 

Observe that a system obtained by the independent composition of K 
CTMCs, can move from a state i = (zi, . . . , 7 _r-) to a state j = {ji, . . . ,jx) 
only if it exists one and only one index k such that ik yf jk, since we are in 
a continuous time environment, and indeed the Kronecker sum produces a ma- 
trix in which all transition rates among states that differ by more than a single 
component are set equal to zero. 

2.2 Vector-Matrix Multiplication 

An aspect that deserves attention is that even if the infinitesimal generator of 
the global system is rewritten using only the infinitesimal generators of the com- 
ponent systems, nevertheless an evaluation of the expression leads to a matrix 
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of size equal to the product of the size of the components. The interesting point 
is that the expression need not to be evaluated explicitly: indeed each time that 
an element of A is used, we only need to compute its value according to the 
Kronecker product definition, which requires K — 1 additional multiplications. 

A different method, called shuffle method, has been instead explained in m 
the A^ matrices are considered sequentially, one at a time, exploiting the equal- 
ity |15j : 



K K 

D = (g) A^= = n ...„,) • (I«, 0 A'^) . (2) 

k —1 k —1 



where Uk = n\ ■ . . . Uk-i ■ rik+i • . . . • uk, and S(a,h) G {0, is the matrix 

describing an (a, b) perfect shuffle permutation: 






1 if j = {i mod a) ■ b + {i div a) 
0 otherwise 



Complexity plays a relevant role in Kronecker algebra based method: while 
the storage advantages are obvious (order K matrices of size Uk x Uk instead of 
one of size n x n with n = rifc=i)> time advantages/disadvantages are less 
intuitive. A discussion of the complexity of the shuffle based algorithms, for the 
full storage case, can be found in m, while presents alternative algorithms 
for the matrix vector multiplication and compares the time complexity of the 
new algorithms and of shuffle in the case of both full and sparse storage. We 
report in the following the results of the comparison in 0, for the computation 
of X- A, where A = ^k=i Each matrix A^ is a square matrix of size UkXUk, 
that is to say with (nk)'^ elements, while we indicate with the number of 

non zero elements of A^; by definition of Kronecker product, A has n = rifc=i^fe 
elements, with 77 [A] = O^i zeros. 

For the complexity we consider three cases: ordinary, where matrix A is com- 
puted and stored in memory. Shuffle, that uses the shuffle based equations pre- 
sented above, and Row, that is a straightforward algorithm (presented in figure 
5.3 in jSj) that does not store A, but that computes each element of the matrix 
“on the fly” when it is needed, which implies in theory K additional multiplica- 
tions per element, but the algorithm optimizes this computation by memorizing 
in K additional variables partial computations (prefixes of the products). 

If the matrices A^ are stored in full storage, the complexity is 



— Ordinary 

— Shuffle 

— Row 






O(n^) 

k^l / 

0{n-) 



Observe that Row effectively amortizes the K additional multiplications if the 
matrix is full, so that there is basically no additional time overhead for the 
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reduced space complexity, while Shujfle performs better than the ordinary mul- 
tiplication, so that the saving in space is coupled with a saving in time. 

If the matrices are stored in sparse storage and are “not too sparse” : 



— Ordinary: 

- Shuffle: 



— Row: 



K 



0[n-J2 



k^l 



0{y{A)) 
nt 



K k 



K 



O E n = O n = 0{y{A)) 



\k=l 1=1 



\k=l 



Depending on the sparsity of the matrix. Shuffle can still do better than the 
other algorithms, but if the matrices are ultrasparse, that is to say, most rows 
have no or one nonzero, which implies that rj{A^) Ri Uk, then the complexity of 
Shuffle and Row becomes: 



0{K-n) = 0\^K-Y[ r]{A'^)j = 0{K ■ y{A)) 

that is to say, both Shujfle and Row pay an additional K overhead in time, with 
respect to a straightforward multiplication, for the saving in space. 

A particular case of multiplication is the one used for the Kronecker sum, 
since, by definition of sum, all matrices in the product are identities, but one, 
A^. Specific algorithms have been designed for this particular case, but, inde- 
pendently on whether Shuffle or Row is used, the resulting complexity is: 

V nk J 

and, since there are K such products for a Kronecker sum, the total complexity 
for the vector-matrix multiplication is 



Eo 



V{A^\ 

nk J 



3 Kronecker Algebra and Petri Nets 

An obvious application of Kronecker operators to Petri nets is to use them to 
define the CTMC of a model obtained from the independent composition of K 
GSPNs. The example we present here is due to Ciardo, in our joint tutorial 
presentation in HH. 

Given K nets . . . , , let 

— be the local tangible reachability set for model k. 

- nk = \S>^\. 
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— S = X ■■■ X is the potential state spaee (also called product state 
space. 

The model obtained by parallel composition of the K models 

Af = Af^\\ ... II 

has tangible reachability set S = S, and 

K 

|iS| = |iS| = n = rifc 

k=l 

For Af we can compute the rate matrix R (the matrix obtained from the 
infinitesimal generator deleting to zero all the diagonal elements) from the rate 
matrix of the components as: 

R =0R'= 

fc=i 

that follows from the analogous result for independent composition of CTMCs. 




Fig. 1. Two independent GSPNs 



An example of the rate matrix computation is now presented using the 
GSPNs of Figure Q1 J\f^ on the left, and on the right. has 4 states 
numbered from 0 to 3: 



Pi -t 0 

P2 + P3 -t 1 

P3 + P4 -t 2 

P2 + P5 3 
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while A/"^ has 6 states numbered from 0 to 5: 

2 ■ Pe 0 

P6+P7 -t 1 

2 • p7 — )■ 2 

P6 + Ps -t 3 

P7 + Ps -t 4 

2 • Ps 5 

The GSPN J\f = \ |A/”^ has 24 states, with 

n = ni ■ U2 = \S\ = |5| = 24 
For net Af we can compute the rate matrix R as: 

R = 

where R* is the rate matrix of AA* . 




Fig. 2. Two dependent GSPNs 



What happens if there are instead dependencies among nets, in the sense that 
the change of state in one GSPN is conditioned on the current (sub) state of the 
other? An example of such dependencies is shown in the net Af of Figure Q where 
it is immediate to recognize nets AA^ and AA^ of Figure Q and the dependency 
is obtained by imposing a synchronization between transition of Af^ and 
of AA^ and between of Af^ and of AA^ . This net belongs to the class called 
“Superposed Generalized Stochastic Petri Nets” (SGSPN) ca, that is to say a 
set of GSPNs synchronized on transitions. 

A first consequence of the dependencies among the two nets is that the Garte- 
sian product S = x of the state spaces of the components considered in 
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isolation is now a superset of the reachability set S of Af, that is to say S C S. 
We shall use n for the cardinality of S and fi for the cardinality of 5: of the 24 
states of S only 10 are reachable. 

A second effect of the dependencies is that R^©R^ does not correctly describe 
the rate matrix R of Af: indeed the effect of the synchronizations is to eliminate 
the contributions due to the firings of ti in any state in which net Af^ is not 
in a (local) state in which transition is enabled, and to have an additional 
contribution due to the simultaneous change of (local) states. With respect to 
the rate matrix obtained as R^ © R^, we have therefore to remove and add 
contributions: removal is realized by setting to zero the contributions in the 
component matrices R^, while the addition is realized summing matrices of size 
h that are also expressed in Kronecker form. 

The resulting expression is 



R = R.5 5 = (Rl © R2 + w(ti)Bl’‘i © + w(t3)Bl’*3 © ^ 



R'^ is the rate matrix of component fc, where all contributions due to synchro- 
nization transitions have been deleted, w(t) is the rate of transition t, and B^’* 
is the matrix that describes the reachability in component k due to the firing of 
t. The notation Rs,s indicates the matrix obtained by selecting only rows and 
columns corresponding to reachable state (states in 5), since, indeed, the matrix 
resulting from the Kronecker sum and product have the same size as S. 

The formula requires the construction of the following matrices (where, for 
brevity, we have indicated with Ai the rate w(ti)): 







0 




0 


0 0 




Rl 


= 




R2 = 


A? 


0 

0 








- ^2 






0 














■^7 








■^1 






•^1 

Ai 0 


w(ti)-Bi’*i = 


0 


0 0 


w(ti) • = 


0 


0 




0 








0 


0 












0 






0 






0 

0 A3 


1 


w(t3) • = 


A 


0 A3 


w(t3) • 


B 2 . t 3 = 


0 


■^3 

0 




d 








0 

0 


■^3 
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And the evaluation of the formula for R leads to: R = 



-^1 

-^1 




By selecting only rows and columns in S we get the correct rate matrix R: 

-^1 

^2 -^3 



■^3 

>2 Ay 




In general, given a GSPN Af, obtained from K GSPNs synchronized 
other a set T* of timed transitions, the expression for the rate matrix is as 
follows 1 1 : 

R = Rss= (0R"+ E w(t)-(g)B"’M 

\k—l t^T* k—1 / 5 5 

where is the rate matrix of component fc, where all contributions due to 
transitions in T* have been deleted, w(t) is the rate of transition t, and is 
the matrix that describes the reachability in component k due to the firing of t. 

When performing a matrix-vector multiplication for steady state or tran- 
sient analysis m, the vector is sized according to S, but, even if there are non 
reachable (spurious) states in 5, the Kronecker algebra approach leads to ex- 
act solution |:i4ii7| . if a non-zero initial probability is assigned only to reachable 
states. Nevertheless the storage and computational complexity may be increased 
in practice to the point that the advantages of the technique are lost, unless spe- 
cific counter-measures are taken, as will be discussed in the next section. 

4 Problems and Some Solutions 

In this section we summarize, with brief explanations and pointers to the liter- 
ature, the major problems that the research community had, and has, to face 
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to make the Kronecker approach effective in a larger context than SGSPN and 
with a more efficient solution process. 



4.1 S versus S: Potential versus Actual 

In general the distance between S and the S can be such that all the space saving 
due to the use of a Kronecker expression instead than the explicit storage of R 
may be lost due to the size of the probability vector. A number of techniques 
have been devised, we discuss here two orthogonal ones: limiting S using the 
so-called “abstract views”, and using ad-hoc, efficient data structures that allow 
to work directly with S. 



Using abstract views. Figure 0 shows a GSPN S that can be considered as the 
composition of two GSPNs 5^ and over three common transitions T1,T2 
and T3. Places whose names start with letter a define component 5^, and those 
starting with b define S^. We assume that there is a sequence of n places and 
transitions between b21 and b2n, and of m places and transitions between o31 
and o3m. 5^ has therefore m + 2 states, has n -|- 2. A product state space S 
can then be defined as 

S = S^ xS^ 

and it is straightforward to observe that S C S, since S has (m -I- 2) • (n -|- 2) 
states, but the reachability set of S has only m -I- n -I- 1. 




Fig. 3. Explaining abstract views. 
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To limit the number of spurious states an abstract description of the system 
can be used to appropriately pre-select the subsets of the states that should 
enter in the Cartesian product. 




Fig. 4. Explaining abstract views. 



For example, we can consider the net 5“ of Figure 0 as an abstract repre- 
sentation of the one in Figure 0 with place B2 “summarizing” the structure of 
places &21, . . . , b2n and ^3 “summarizing” the structure of places a31, . . . , o3m. 
5“ has three reachable states: Zi = (al,bl), Z 2 = (a2, B2), and Z 3 = (A3, b3). 
The states of 5^ and can be partitioned according to the states of the 
m -I- 2 states of 5^ are partitioned in three equivalence classes: 5^^ = {al}, 
5^2 = {a2}, and 5^3 = {a31, . . . , a3n}. Similarly, for we get: = {bl}, 

. . . , b2n}, and = {b3}. 

The restricted product state space RPS can then be built as: 

RPS= y 5^x52 = 

zG5“) 

{al} X (blj U |a2} x |b21, . . . , b2n| U |a31, . . . , a3n| x |b3} 

where 1+J is the disjoint set union. Note that in this case we obtain a precise 
characterization of the state space, but the union of Cartesian products can in 
general produce a superset of the reachable state space, depending on how precise 
is the abstract representation. We refer to methods based on a construction of 
a restricted state space as abstract, or two levels. 

Since the state space is no longer the Cartesian product of sets of local 
state spaces, but the union of Cartesian products, we cannot expect to have 
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for the infinitesimal generator a Kronecker expression as simple as before: we 
can build a matrix R, supermatrix of the rate matrix R, of size |RPS| x |RPS|, 
and then consider it as block structured according to the states of Each 
block will thus refer to a set of states obtained by a Cartesian product, and a 
Kronecker expression for each block can be derived. A similar method works for 
the reachability graph matrix. 

Working with S only. Instead of trying to reduce the distance between S and S 
it is possible to size the vector used for the vector matrix multiplication accord- 
ing to n instead that h. This is possible since it is known that the vector entries 
corresponding to non reachable states are always equal to zero. But the problem 
to be faced is then to multiply a vector by a matrix of different size, consider- 
ing that it is not possible any longer to use the mixed base transformation to 
translate a vector index i into the K element vector needed for the multiplica- 
tion, and, of course, viceversa. The problem has been solved using a tree-like 
data structure with K levels, with the lowest level pointing to the vector to be 
multiplied. A path in the tree from root to leaf correspond to a reachable state 
and to an efficient computation of the index in the vector of size S. Observe 
that such a tree structure contains a description of the reachability set, while 
the reachability graph can be derived from the Kronecker expression. 

Several variations of it have been studied in the thesis of Kemper PD and by 
Ciardo and Miner in H21, until a very efficient representation based on multival- 
ued decision diagram was devised and implemented in the thesis of Miner |Sn| . 
The efficiency is so high in many practical cases that enormous state spaces can 
be stored, but of course no vector matrix multiplication can be performed, since 
even the vector does not fit in memory (although the reachability set does!): 
nevertheless the efficient data structure can be use to effectively prove temporal 
logic properties using model checking m. 

4.2 Only SGSPN? 

Up to know we have discussed only results in the field of SGSPN, that is to say 
the net must be seen as a set of GSPNs that interact by synchronization over 
timed transitions, and for each GSPN we must be able to generate a finite state 
space in isolation and the corresponding rate matrix. These limitations have 
mostly been overcome, and we discuss some of the solutions in the following. 

Asynchronous composition. Asynchronous composition of model is as natural 
as the synchronous one, so a certain attention has been devoted to it. Buchholz 
was the first one to consider asynchronous composition, in the context of marked 
graphs 0 ) and in that of hierarchical Petri nets and queueing networks jS| . To 
solve the problem connected to the computation of the state spaces in isolation 
he introduced the concept of “high level view”, that we have presented above 
in the context of SGSPN. The work on marked graph was adapted by Gampos, 
Donatelli and Silva to the larger class of DSSP in |5j, and, finally to the general 
case of GSPNs that interact through places (instead of transitions) in jS). 



14 



S. Donatelli 



But two levels methods may work even if there is no high level model given: 
the work in ^ shows how to build automatically a two levels hierarchy starting 
from any state space, while a more recent improvement 0 shows how this can 
be done at the net level. 



Stochastic well-formed nets. The work in shows how the Kronecker approach 
can be extended to the case of high level nets. In particular they show that it is 
not possible to use the aggregated symbolic reachability graph of the components 
in isolation for the Kronecker expression, since they may not correctly take into 
account the effect of the synchronization activities, but that each net in isolation 
should include some information on the other nets with which is going to be 
synchronized. 



Synchronizing over immediate. All the initial works on SGSPN pose the limi- 
tation that modules should synchronize on timed transitions, a restriction that 
has been removed by Ciardo and Tilgner in H3|> and by Donatelli and Kemper 

in |IB|. 



Kronecker and Phase-type distributions. Phase-type distributions in queueing 
networks and stochastic Petri nets have the effect of enlarging the state space 
in a rather regular, almost Cartesian-like, fashion. This fact has been exploited 
in queueing networks by Beounes in PJ in 1221 for Petri nets, using a flat 
approach inspired by the classical work on SGSPN, that leads to a high number 
of non-reachable states, while a more elaborated method, based on abstract views 
consisting of the enabling degree of phase type transitions, has been proposed 
in that allows a precise characterization of the state space (no spurious 
states), and it has been followed also for the discrete phase-type case in 3 . 



4.3 Working without Components 

What happen if the net does not have an explicit structure since it has not been 
obtained by composition, and/or no information on partitioning of the net into 
components with finite state space is available? It is possible to show that the 
modularity unit can be as fine as places (each place is a module) as it has been 
shown in H31 and |0|, although the improvements in space and time may be 
lost in some cases: the method can therefore be applied to a general GSPN, but 
its efficacy in reducing the solution cost may be very low, or even result in a 
worsening of the problem. Despite the fact that the modularity can be as fine as 
desired, it is nevertheless necessary to be able to generate the local state spaces, 
or a superset of them, in isolation. If the modularity is at place level, a bound 
on the number of tokens in each place is enough to generate local state spaces, 
and it is well-known that this bound can be computed if the net is covered by 
P-invariants. 
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4.4 The Vector Bottleneck 

We have discussed above of the possibility of building and storing in compact 
form, using multivalued decision diagrams, very huge state space: but what are 
the advantages for performance evaluation? Indeed for the computation of the 
performance indices is necessary to have the vector of steady state (or transient) 
probabilities, that has as many entries as there are states, so it may appear 
that there is no real advantage in building state spaces larger than a few million 
states (the current limit on a reasonably equipped PC nowadays). There are two 
possible solutions here: to limit our desires, considering approximations instead 
of exact results, as it has been done in EH, or to devise a method to store also 
the vector in an efficient manner (and no results are known up to now to the 
best of the author’s knowledge). 

5 Is/ Was It Worth the Effort? 

It is my opinion that the approach was worth the effort put into it for at least 
three reasons. 

1. A contribution of Kronecker based method to the Petri net field has been 
that of thinking of global states in terms of product of local states, and to 
carry on this association also at the matrix level, for both Markov chain and 
reachability graph generation. 

2. The transition from the potential state space to multilevel tree and then to 
multivalued decision diagram for the representation of the state space of a 
net can also be considered a very important result/effect of the application 
of Kronecker algebra to nets. 

3. The compositional approach was traditionally seen in nets more as a de- 
scriptive mechanism, than as a mean to reach an efficient solution: indeed 
Kronecker based approach have helped in changing this viewpoint. 

Despite the above positive “theoretical” points, the impact of the Kronecker 
based approach for the study of models coming from the real world is still very 
limited. There are may be two major reasons for this. The complexity results 
available at the beginning only referred to the case of matrices memorized using 
full storage scheme, and it was not at all obvious what the complexity actually 
was using sparse scheme: the work in |Ej clearly removes this limitation, although 
the abstract view case is not discussed. Absence of a clear statement on practi- 
cal complexity as well as a certain use of somewhat cumbersome notation, has 
indeed limited the widespreading of the technique. The other reason is indeed 
the availability of tools, or, better, the availability of Kronecker-based solution 
in general purpose tools. Plateau implemented a first version of the solution of 
Stochastic Automata Networks in EH, while Kemper has implemented in a tool 
the solution of SGSPN models m The SGSPN solution module is integrated 
into the environment Toolbox that allows also the solution of hierarchical 

queueing Petri nets using the two level methods due to Buchholz. SMART jT^ is 
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the tool by Ciardo and Miner that implements Kronecker based methods using 
the very efficient representation of the state space based on multivalued decision 
diagrams, unfortunately the tool is not yet distributed to the large public, since 
the (in my opinion right) choice was taken to deliver the tool only when it is 
general purpose enough to support all the activities of analysis (including sim- 
ulation), to allow its use from people that are not Kronecker experts, and when 
a reasonable manual is available. 

As a final remark we can say that the success of the Kronecker-based research 
line could be measured in the near feature by the number of improvements 
that will be hidden deep in the tools, that is to say, how many of the results 
summarized in this paper will be made usable to a public with a knowledge 
in model verification and evaluation, but no specific knowledge on Kronecker 
algebra. 



Acknowledgements. I would like to thank all the colleagues with which I have 
shared my research effort in the field of Kronecker algebra and Petri nets, in 
particular Peter Buchholz, Gianfranco Ciardo, and Peter Kemper since our joint 
work on complexity was a true and deep exchange of knowledge and experience 
for, I think, all of us. A special thank goes to Ciardo for allowing me to re-use 
his latex effort for the example that he had prepared for our joint tutorial, and 
to Gianfranco Balbo for telling me, already many years ago, when I was a PhD 
student: “I have listened to an interesting presentation by Plateau on Kronecker 
algebra: why don’t you take a look to it?” . 

References 

1. C. Beounes. Stochastic Petri net modeling for dependability evaluation of complex 
computer system. In Proc. of the International Workshop on Timed Petri nets, 
Torino, Italy, July 1985. lEEE-CS Press. 

2. M. Scarpa and A. Bobbin. Kronecker representation of stochastic Petri nets with 
discrete PH distributions. In Proceedings of International Computer Performance 
and Dependability Symposium - IPDS98, IEEE Computer Society Press, 52-61, 
1998. 

3. P. Buchholz, and P. Kemper. On generating a hierarchy for GSPN analysis ACM 
Performance Evaluation Review, Vol. 26 (2), 1998, pages 5-14. 

4. P. Buchholz. Hierarchical structuring of Superposed GSPN. In Proc. of the 7*^ 
Intern. Workshop on Petri Nets and Performance Models, pages 11-90, Saint Malo, 
France, June 1997. lEEE-CS Press. 

5. P. Buchholz. A hierarchical view of GCSPN’s and its impact on qualitative and 
quantitative analysis. Journal of Parallel and Distributed Computing, 15(3):207- 
224, July 1992. 

6. P. Buchholz, G. Ciardo, S Donatelli, and P. Kemper. Complexity of memory- 
efficient Kronecker operations with applications to the solution of Markov models. 
INFORMS Journal on Computing, vol. 12, n.3, summer 2000. 

7. P. Buchholz and P. Kemper. Numerical analysis of stochastic marked graphs. In 
Proc. 6*^ Intern. Workshop on Petri Nets and Performance Models, pages 32-41, 
Durham, NC, USA, October 1995. lEEE-CS Press. 




Kronecker Algebra and (Stochastic) Petri Nets: Is It Worth the Effort? 



17 



8. J. Campos, S. Donatelli, and M. Silva. Structured solution of stochastic DSSP 
systems. In Proc. of the 7*^ Intern. Workshop on Petri Nets and Performanee 
Models, pages 91-100, Saint Malo, France, June 1997. lEEE-CS Press. 

9. J. Campos, S. Donatelli, and M. Silva. Structured solution of Asynchronously Com- 
municating Stochastic Modules. In IEEE Transactions on Software Enqineerinq, 
25(2), April 1999. 

10. G. Ciardo, G. Luettgen, and Siminiceanu. Efficient symbolic state-space construc- 
tion for asynchronous systems. In Proceedings of the 21st International Conference 
on Application and Theory of Petri Nets, Lecture Notes in Computer Science 1825, 
pages 103-122, June 2000. Springer- Verlag. 

11. G. Ciardo and S. Donatelli. Kronecker operators and Markov chain solution. Tu- 
torial presentation at the joint ACM SIGMETRICS and PERFORMANCE 1998 
conference, June 1998, Wisconsin (USA). 

12. G. Ciardo and A. S. Miner. Storage alternatives for large structured state spaces. 
In R. Marie, B. Plateau, M. Calzarossa, and G. Rubino, editors, Proc. 9th Int. 
Conf. on Modelling Techniques and Tools for Computer Performance Evaluation, 
LNCS 1245, pages 44-57, Saint Malo, France, June 1997. Springer- Verlag. 

13. G. Giardo and M. Tilgner. On the use of Kronecker operators for the solution 
of generalized stochastic Petri nets. ICASE Report 96-35, Institute for Gomputer 
Applications in Science and Engineering, Hampton, VA, May 1996. 

14. G. Giardo and A. S. Miner. SMART: Simulation and Markovian Analyzer for 
Reliability and Timing. In Proc. IEEE International Computer Performance and 
Dependability Symposium (IPDS’96), Urbana-Ghampaign, IL, USA. Sept. 1996. 
IEEE Comp. Soc. Press. 

15. M. Davio. Kronecker products and shuffle algebra. IEEE Transactions on Com- 
puters, 30(2):116-125, 1981. 

16. S. Donatelli. Superposed stochastic automata: a class of stochastic Petri nets with 
parallel solution and distributed state space. Performance Evaluation, 18:21-36, 
1993. 

17. S. Donatelli. Superposed generalized stochastic Petri nets: definition and efficient 
solution. In R. Valette, editor, Proc. of the 15*^ Intern. Conference on Applications 
and Theory of Petri Nets, volume 815 of Lecture Notes in Computer Science, pages 
258-277. Springer- Verlag, Berlin Heidelberg, 1994. 

18. S. Donatelli and P. Kemper. Integrating synchronization with priority into a Kro- 
necker representation Performance evaluation, 44 (1-4), 2001. 

19. S. Donatelli, S. Haddad, and P. Moreaux. Structured characterization of the 
Markov Chain of phase-type SPN. In Proc. 10th Int. Conf. on Modelling Techniques 
and Tools for Computer Performance Evaluation, Palma de Mallorca, September 
98; LNCS 1469, Springer- Verlag. 

20. P. Fernandes, B. Plateau, and W. J. Stewart. Efficient descriptor-vector multipli- 
cation in stochastic automata networks. Journal of the ACM, 45(3), 1998. 

21. P. Fernandes, B. Plateau, and W. J. Stewart. Numerical issues for stochastic 
automata networks. INRIA research report no 2938, July 1996 (available by ftp 
from ftp.inria.fr). 

22. S. Haddad, P. Moreaux, and G. Ghiola. Efficient handling of phase-type distri- 
bntions in generalized stochastic Petri nets. In Proc. of the 18th International 
Conference on Application and Theory of Petri Nets, number 1248 in LNGS, pages 
175-194, Toulouse, France, June 23-27 1997. Springer- Verlag. 

23. P. Kemper. Numerical analysis of superposed GSPN. IEEE Transactions on Soft- 
ware Engineering, 22(4):615-628, September 1996. 




18 



S. Donatelli 



24. P. Kemper. Superposition of generalized stochastic Petri nets and its impact on 
performance analysis. PhD thesis, Universitat Dortmund, 1996. 

25. P. Kemper. Reachability analysis based on structured representations In Proc. 
17th International Conference Application and Theory of Petri Nets, Osaka (JP), 
June 1996, pp. 269 - 288, LNCS 1091. Springer, 1996. 

26. P. Kemper. Transient analysis of superposed GSPNs. IEEE Trans, on Software 
Engineering, 25(2), March/April 1999. Revised and extended version of a paper 
with same title in 7-th International Conference on Petri Nets and Performance 
Models - PNPM97, pages lOl-llO. IEEE Computer Society, 1997. 

27. P. Kemper. SupGSPN Version 1.0 - an analysis engine for superposed GSPNs. 
Technical report, Universitat Dortmund, 1997. 

28. P. Kemper F. Bause, P. Buchholz. A toolbox for functional and quantitative 
analysis of deds. Technical Report 680, Universitat Dortmund, 1998. 

29. P. Kemper F. Bause, P. Buchholz. A toolbox for functional and quantitative anal- 
ysis of DEDS. Short paper at PERFORMANCE TOOLS’98, 10th International 
Conference on Modelling Techniques and Tools for Computer Performance Evalu- 
ation Palma de Mallorca, Spain, 1998; LNCS 1469, Springer- Verlag. 

30. A.S. Miner. Superposition of generalized stochastic Petri nets and its impact on 
performance analysis. PhD thesis. The college of William and Mary, Williamsburg 
(USA), 2000. 

31. A. Miner, G. Ciardo and S. Donatelli. Using the exact state space of a Markov 
model to compute approximate stationary measures. In J. Kurose and P. Nain, 
editors. Proceedings of the 2000 ACM SIGMETRICS Conference on Measurement 
and Modeling of Computer Systems, pages 207-216, June 2000. ACM Press. 

32. S. Haddad and P. Moreaux. Asynchronous Composition of High Level Petri Nets: 
A Quantitative Approach. In Proc. of the 17*^ Intern. Conference on Applications 
and Theory of Petri Nets, June 1996, LNCS 1091, Springer- Verlag. 

33. B. Plateau and K. Atif. Stochastic automata network for modeling parallel systems. 
IEEE Transactions on Software Engineering, 17(10):1093-1108, 1991. 

34. B. Plateau. On the stochastic structure of parallelism and synchronization models 
for distributed algorithms. In Proc. 1985 ACM SIGMETRICS Conference, pages 
147-154, Austin, TX, USA, August 1985. ACM Press. 

35. B. Plateau. PEPS: A package for solving complex Markov models of parallel 
systems. In R. Puigjaner and D. Poiter, editors. Modeling techniques and tools for 
computer performance evaluation, pages 291-306. Plenum Press, New York and 
London, 1990. 

36. W. J. Stewart. Introduction to the Numerical Solution of Markov Chains. Prince- 
ton University Press, 1994. 




The Flux of Interaction 



Robin Milner 

University of Cambridge, The Computer Laboratory, 
New Museums Site, Cambridge CB2 3QG 
Robin . MilnerOcl .cam.ac.uk 



Abstract. A graphical model of interactive systems called bigraphs is 
introduced, resting on the orthogonal treatment of connectivity and lo- 
cality. The model will be shown to underlie several calculi for mobile 
systems, in particular the rr-calculus and the ambient calculus. Its core 
behavioural theory will be outlined. 



Lecture Summary 

The lecture will be about a simple graphical model for mobile computing. 

Graphical or geometric models of computing are probably as old as the 
stored-program computer, possibly older. I do not know when the first flowchart 
was drawn. Though undeniably useful, flowcharts were denigrated because vital 
notions like parametric computing -the procedure, in Algol terms- found no place 
in them. But a graphical reduction model was devised by Wadsworth [E] for 
the lambda calculus, the essence of parametric (functional) computing. Mean- 
while, Petri nets H31 made a breakthrough in understanding synchronization 
and concurrent control flow. Later, the chemical abstract machine (Cham) |2) 
-employing chemical analogy but clearly a spatial concept- clarified and gener- 
alised many features of process calculi. 

Before designing CCS, I defined flow graphs jS| as a graphical presentation 
of flow algebra, an early form of what is now called structural congruence; it 
represented the static geometry of interactive processes. The pi calculus and 
related calculi are all concerned with a form of mobility; they all use some form 
of structural congruence, but are also informed by a kind of dynamic geometrical 
intuition, even if not expressed formally in those terms. 

There are now many such calculi and associated languages. Examples are the 
pi calculus the fusion calculus P2j, the join calculus 0, the spi calculus P, 
th6 cLinbiGiit Ccilculiis , Piet HI, nomadic Piet HU, explicit fusions |0|. While 
these calculi were evolving, in the action calculus project m we tried to dis- 
till their shared mobile geometry into the notion of action graph. This centred 
around a notion of molecule, a node in which further graphs may nest. All action 
calculi share this kind of geometry, and are distinguished only by a signature (a 
set of molecule types) and a set of reaction rules. The latter determine what 
configurations of molecules can react, and the contexts in which these reactions 
can take place. 
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Such a framework does not necessarily help in designing and analysing a 
calculus for a particular purpose. It becomes useful when it supplies non-trivial 
theory relevant to all, or a specific class of, calculi. Most process calculi are 
equipped with a behavioural theory - often a labelled transition system (LTS), or 
a reaction (= reduction) relation, together with a trace-based or (bi)simulation- 
based behavioural preorder or equivalence. Developing this theory is often hard 
work, especially proving that the behavioural relation is preserved by (some or 
all) contexts. Recently |H| we have defined a simple categorical notion of reac- 
tive system, and shown that under certain conditions an LTS may be uniformly 
derived for it, in such a way that various behavioural relations -including the 
failures preorder and bisimilarity- will automatically be congruential (i.e. pre- 
served by contexts). We have also shown Pj that a substantial class of action 
calculi satisfy the required conditions. Thus we approach a non-trivial general 
theory for those calculi which fit the framework, as many do. 

This work has encouraged us to base the theory on a simpler notion: a higraph. 
Here is an example: 




These graphs are a generalisation of Lafont’s interaction nets 0. They consist 
just of nodes (with many ports) and edges, but with a locality -i.e. a forest 
structure- imposed upon nodes quite independently of the edge wiring. This 
notion has grown out of action calculi but is also inspired by the Cham of Berry 
and Boudol 0, the ambient calculus of Cardelli and Gordon PI, the language 
Nomadic Piet of Sewell and Wojciechowski (HI, and the fusion concept of Parrow 
and Victor M further developed by Gardner and Wischik 0 . Graphs with such 
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additional structure are widely useful, and are studied in a recent Handbook 
edited by Rozenberg m- The intuition of bigraphs is that nodes have locality, 
wires (per se) don’t. A node and its (nodal) contents can be an ambient, a 
physical location, a A-abstraction, a program script, an administrative region, 
. . . . A node without contents can be a date constructor, a cryptographic key, a 
merge or copy node, a message envelope, .... 

In the lecture I shall outline the basic behavioural theory of bigraphs. I shall 
show how it leads to congruential behavioural relations for a wide class of calculi 
for mobile systems. For example, I hope to compare the notion of bisimulation 
which it generates with that originally defined for the 7r-calculus m This is 
work in progress. 



Acknowledgement. I would like to thank my colleagues Luca Cattani, 
Philippa Gardner, Jamey Leifer and Peter Sewell for their co-operation, inspi- 
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Abstract. We set the ground for research on a timed extension of Petri 
nets where time parameters are associated with tokens and arcs carry 
constraints that qualify the age of tokens required for enabling. The 
novelty is that, rather than a single global clock, we use a set of unre- 
lated clocks — possibly one per place — allowing a local timing as well 
as distributed time synchronisation. We give a formal definition of the 
model and investigate properties of local versus global timing, including 
decidability issues and notions of processes of the respective models. 



1 Introduction 



Verification of finite state systems has been an important area with success- 
ful applications to e.g. communication protocols, hardware structures, mobile 
phones, hi-fi equipment and many others. For systems that operate for exam- 
ple on data from unbounded domains, new methods must be proposed since 
they are not finite state any more and model/equivalence checking is usually 
more difficult. Recently algorithmic methods have been developed for process 
algebras generating infinite state systems |Mol96IBE97] . timed process alge- 
bra fYi90j . Petri nets |Jan90j . lossy vector addition systems |BM99) . counter ma- 
chines |.lan97IAC98j . real time systems fAGD9fllAD9fllAD94lfjPY9Rj and many 
others. In particular, the idea to equip automata with real time appeared to be 
very fruitful and there are even automatic verification tools for such systems as 
UPPAAL and KRONOS | IRDM+98| . 



The main idea behind timed automata is to equip a standard automaton 
with a number of synchronous clocks, and to allow transitions (a) to be condi- 
tioned on clock values, and (b) to affect (reset) clocks. One of the objections 
to this formalism is the assumption of perfect synchrony between clocks. For 
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many applications this assumption is justified, but for others this is an unreal- 
istic assumption. It is easy to imagine systems which are geographically highly 
distributed where this is the case, but also within hardware design the issue has 
been addressed, e.g. within work on so-called Globally Asynchronous Locally 
Synchronous (GALS) systems [MHKL)IjL'l’Jr*fi8| . 

We are looking for a formalism in which to model such systems. Petri nets 
seem to be a natural starting point, since one of the virtues of nets is the explicit 
representation of locality. 

Several models that take time features into account have been presented 
in the literature (for a survey see jHowfitifWa.ufiSj ). For example timed transi- 
tions Petri nets were proposed by Ramchandani |Eim72|. Here each transition 
is annotated with its firing duration. Another model where time parameters 
are associated to the places is called timed places Petri nets, introduced by 
Sifakis |Sif77| . We will analyse timed-arc Petri nets [IHTjT9fllHa,u93| . a time ex- 
tension of Petri nets where time (age) is associated to tokens and transitions 
are labelled by time intervals, which restrict the age of tokens that can be used 
to fire the transition. In this model, time is considered to be global, i.e., all 
tokens grow older with the same speed. In spite of the fact that reachability 
is decidable for ordinary Petri nets mm, reachability for global timed-arc 
Petri nets is undecidable |PGdFEf???| . On the other hand, coverability is decid- 
able for global timed-arc Petri nets [P dFEAOOIA N 0 1 ] . It is also known that the 
model offers ‘weak’ expressiveness, in the sense that it cannot simulate Turing 
machines |HG89| . 

We suggest a new model where time elapses in a place independently on 
other places, taking the view that places represent ’’localities”. We generalise 
this idea of local clocks in such a way that we allow to define an equivalence 
relation on places such that two places must synchronise if and only if they are 
in the same equivalence class. We call this model distributed timed-arc Petri 
nets. As special instances we get local timed-arc Petri nets (LT nets) where no 
places are forced to synchronise, and global timed-arc Petri nets (GT nets) with 
full synchronisation. There is yet another motivation for considering LT nets, 
namely that they seem to be a weaker model than the original one with global 
time and some properties could be algorithmically verified. We investigate here 
to what extent this hope is justified. 

2 Distributed Timed-Arc Petri Nets 

In this section we define formally the model and we consider both continuous 
and discrete time. 

Definition 1 (Distributed timed-arc Petri net). 

A distributed timed-arc Petri net (DTAPN) is a tuple N = (P,T,F,c,E,D), 
where 

— P is a finite set of places, 

— T is a finite set of transitions such that T n P = 0, 
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— F C (P X T) U {T X P) is a flow relation, 

— c: F\pxt D X (DU{oo}) is a time constraint on transitions such that 
for each arc (p,t) € F if c{p,t) = (^ 1 ,^ 2 ) then t\ < t 2 , 

— E C P X P is an equivalence relation on places ( synchronisation relation ) 

— D £ {R^,N} is either continuous or discrete time. 

Let X £ D and c{p,t) = (ti,t 2 )- We write x G c{p,t) whenever ti <x<t 2 - We 
also deflne *t = {p\ [p, t) G F} and t* = {p \ (t,p) G F}. 

Definition 2 (Marking). 

Let N = {P, T, F, c, F, D) be a DTAPN. A marking M is a function 

M-. P^B{D) 

where B{D) denotes the set of finite multisets on D. 

Each place is thus assigned a certain number of tokens, and each token is 
annotated with a real (natural) number (age). Let x £ B{D) and a £ D. We 
define a: <f a in such a way that we add the value a to every element of x, i.e., 
x<£a = {b + a\ b£ x}. As initial markings we allow only markings with all 
tokens of age 0. 

Definition 3 (Marked DTAPN). 

A marked DTAPN is a pair (N, M) where N is a distributed timed-arc Petri net 
and M is an initial marking. 

Let us now define the dynamics of DTAPNs. We introduce two types of 
transition rules: firing of a transition and time- elapsing. 

Definition 4 (Transition rules). 

Let N = (P, T, F, c, E, D) be a DTAPN, M a marking and t £T. 

— We say that t is enabled by M iff Vp G *t. 3x £ M{p). x £ c{p, f). 

— If t is enabled by M then it can be fired, producing a marking M' such that: 

Vp G P. M'{p) = [m{p) \ C~{p,t)^ U C+(t,p) 

where C~ and are chosen to satisfy the following equations (note that 
there may be more possibilities and that all the operations are on multisets): 

{ {a:} A p £ *t A X £ M{p) A x £ c{p,t) 

' (0 otherwise 



C+{t,p) 



{0} ifpGf 
0 otherwise. 



Then we write M[t)M' . Note that the new tokens added to places t* are of 
the initial age 0. 
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Fig. 1. Example of time synchronisation for GT nets 



— We define a time- elapsing transition e, for e: P/E — >■ D, as follows, where 
[p]e denotes the if-equi valence class of p: 

M[e)M' iff Vp G P. M'{p) = M{p) <+ £([p]e). 

We write M — >■ M' iff either M[t)M' or M[e)M' for some t or e. 

In particular we can consider the following two classes of DTAPNs. The first 
one requires an absolute synchronisation and was studied in the past, while the 
other one is a new model — completely asynchronous. 

— Global timed-arc Petri nets (GT nets): E = P x P. 

— Local timed-arc Petri nets (LT nets): E = Ap = {{p,p) | p G P}. 

3 Examples 

In this section we present three examples of timed-arc Petri nets in order to 
demonstrate the usefulness of GT nets, LT nets and the general model of dis- 
tributed timed-arc Petri nets. Let us first consider an example of a GT net. 
Figure G] gives its graphical representation. 

Places are drawn as circles and squares represent transitions with given 
names. The flow relation is present in form of arcs and every arc from a place 
to a transition contains a time interval. In the initial marking a pair of tokens 
of age 0 is present in the upper two places of the picture. An interesting transi- 
tion is named ‘synch’. This is an example of time synchronisation, in the sense 
that in order to fire this transition from the initial marking, there must be some 
time-elapsing step by 4 or 5 time units. If the net is considered with continuous 
time also any e-elapsing step is possible for 4 < e{P) < 5. Then we can fire 
the transition ‘synch’. Whenever we want to fire this transition again, the age 
of tokens in the places from * synch must by synchronised in a similar fashion. 
Observe that the system can easily deadlock since tokens in places may become 
dead, i.e., they are too old to be useful for firing a transition. 

Let us have a look at Figurel^now. This example is to demonstrate a simple 
producer/consumer system with continuous time. The net is considered with a 
local time and whenever a time constraint is missing on an arc, we implicitly 
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consumer 




assume that this constraint is irrelevant, i.e., it is of the form [0,oo]. Thus the 
only interesting place where time-parameters are of importance is ‘store’. The 
other places are just control ones and time can elapse completely independently 
there. From the initial marking we can fire a transition ‘produce’ which adds a 
number of products (tokens) into ‘store’. If time elapses during the production 
process, products of several ages can appear in ‘store’. By firing the transition 
‘switch’ we add one token of age 0 into ‘store’ and one into the place ‘consumer 
ready’. Now producer is active and he can consume products of age 1 from 
‘store’. Notice that no time elapsing step is allowed, otherwise there is no token 
of age 0 in ‘store’ and the transition ‘get ready’ cannot be fired. When consumer 
consumed all the products he wanted, a transition ‘done’ is performed (again 
checking that there is still the control token of age 0 in ‘store’) and producer 
becomes active again. Since consumer is not forced to consume all the products 
of age 1, it can be the case that products that are too old appear in ‘store’, 
however, they can be recycled by firing the transition ‘recycle’. The example in 
Figure 13 demonstrates that LT nets are not so weak as they may look. First, it 
shows that they allow to implement a potentially infinite timed-queue in a place 
— in our example in the place ‘store’. Second, a mechanism is sketched how to 
restrict a time-elapsing step by means of a control token — in our case this token 
is added by the transition ‘switch’. 

The last example we will consider is a Fischer’s protocol for mutual exclusion. 
Fischer’s protocol was suggested by Schneider, Bloom and Marzullo in |S H M h‘2] 
for testing real-time systems and successfully verified using GT nets by Abdulla 
and Nylen |A N01 j . Figure0is taken from the paper |A N01 1 and it demonstrates 
a running code for a process i. The idea is that we have potentially infinitely 
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Fig. 3. Fischer’s protocol for mutual exclusion 




Fig. 4. Dependent transitions in a GT net and independent in an LT net 



many processes, each of them running the previously mentioned code. Processes 
operate on a common shared variable v, A is the initial state and each process 
has got its own clock Xi. All the clocks are globally synchronised. Our aim is to 
show that this protocol is correct in the sense that at most one process can enter 
the critical section CS. 

Fischer’s protocol can be easily modelled in the GT net formalism as was 
shown in HMnj. Synchronisation between places B and C is essential for the 
mutual exclusion property. However, in this example no behaviour of processes 
in the critical section is considered. So the protocol only insures safe scheduling 
mechanism. Assume that we have another GT net N that models the process 
behaviour in the critical section. If we want e.g. to put the control mechanism 
together with N and still separate their time-parameters, one solution is to define 
it as distributed timed-arc Petri net. The places in the control mechanism will 
belong to one equivalence class and the places of N will belong to the other 
equivalence class. Thus we obtain a complete time-independence between the 
scheduling process and the process behaviour in the critical section. 

4 Investigating DTAPNs 

We aim at providing a common ground on which to assess relative expressiveness 
of GT nets and LT nets. One attempt is to formalise a notion of processes of 
DTAPNs. The standard notion of processes of P/T nets lends itself more 

readily to LT nets than to GT nets, as illustrated by the net of Figure 0 

Were this net an ordinary, untimed net, we could safely think of the tran- 
sitions ti and t2 as being completely independent. The situation is not so neat 
when we consider the time constraints. If we interpret the net as a GT net, i.e., 
we take the time to be global, after firing t2, the transition ti cannot possibly 
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fire anymore. So, even if there are no static connections between t\ and t 2 , time 
constrains do not allow to consider them as totally independent. If instead we 
consider the net under the local time interpretation, ti and t 2 are again inde- 
pendent, as they cannot affect each other’s enabledness. 

We study DTAPN processes in order to establish their properties with respect 
to timed firing sequences and to be able to prove results assessing the relative 
expressiveness of LT versus GT nets. 

Another attempt is to consider various decidability questions. Ruiz, Gomez 
and Escrig recently proved in [HGdKElITIj that reachability is undecidable for 
GT nets. Their proof does not imply undecidability for LT nets, because it relies 
on synchronised places. In principle, it may seem that the model of LT nets is 
less powerful than the one of GT nets. 

Nevertheless, we demonstrate that reachability for LT nets is undecidable 
as well. The proof is based on a reduction from the halting problem of Min- 
sky machine with two counters. Notice that this contrasts with the result by 
Mayr |May81| stating the decidability of reachability for ordinary Petri nets. 
The reachability problem for local timed-arc Petri nets can be formulated as 
follows. 



Problem: Reachability for LT nets. 

Instance: A marked LT net (A^, M) and a final marking M' . 
Question: M — >* M' ? 



Theorem 1. Reachability for LT nets is undecidable. 

On the other hand, we only need to restrict the class of considered nets very 
little in order to get the expected difference between local and global timed nets. 
Say that a marking is simple if each place contains at most one token, and that 
a marked DTAPN is simple if the initial marking is simple. 

Theorem 2. Reachability is decidable for simple LT nets, but undecidable for 
simple GT nets. 

The coverability problem for GT nets was shown to be decidable — for 
discrete time in IRdf'EAbOl and for continuous time in iMnn- By modifying 
these results we get that coverability is decidable even for DTAPNs. The problem 
is defined as follows. 



Problem: Goverability for DTAPNs. 

Instance: A marked DTAPN {N,M) and a final marking M' . 
Question: 3M" . M — >* M" A Wp G P. M'{p) C M"{p) ? 



Theorem 3. Coverability for DTAPNs is decidable. 
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5 Conclusion 

We have introduced a Petri net model aimed at capturing the ideas behind 
the Globally Asynchronous Locally Synchronous paradigm, and provided some 
initial results on our model. However, we believe there are many interesting 
problems to be addressed in the future for such models. 
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Abstract. The behavioral- inheritance relations of (vitij can be used 
to compare the life cycles of objects defined in terms of Petri nets. 

They yield partial orders on object life cycles (OLCs). Based on these 
orders, we define concepts such as the greatest common divisor and the 
least common multiple of a set of OLCs. These concepts have practical 
relevance: In component-based design, workflow management, ERP 
reference models, and electronic-trade procedures, there is a constant 
need for identifying commonalities and differences in OLCs. Our results 
provide the theoretical basis for comparing, customizing, and unifying 
OLCs. 

Keywords: Petri nets, inheritance, lattices, partial orders, object- 
oriented methods, workflow management. 

1 Introduction 

For several years, we have been working on notions of inheritance of behavior [Z1 
E]. Inheritance is a key issue in object-oriented design It allows for the def- 
inition of subclasses that inherit features of some superclass. Inheritance is well 
defined for static properties of classes such as attributes and methods. However, 
there is no general agreement on the meaning of inheritance when considering 
the dynamic behavior of objects, captured by their life cycles. In our work, we 
use Petri nets |lbll9j for defining object life cycles (OLCs); they allow for a 
graphical representation with an explicit representation of object states. In [3 
E], four behavioral-inheritance notions have been defined, based on the principle 
that by blocking and/or hiding methods of a subclass the resulting behavior 
should match the behavior of the superclass. 

We have applied the behavioral-inheritance concepts in different domains 
ranging from workflow management ^ and electronic commerce P| to object- 
oriented methods and component-based software architectures |S|. In each 
of these applications, objects are designed and compared. The objects of interest 
can be insurance claims, orders, bank accounts, hardware modules, or software 
components. One thing they have in common is that they have a life cycle. 
The inheritance notions have been used as a basis for the comparison of these 
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OLCs. The applications revealed a new and intriguing question: Given a set of 
OLCs, what do these OLCs have in common? In this paper, we provide some 
fundamental results that can be used to answer this question. 

Consider a set of OLCs that are variants of some process (a workflow or trade 
procedure, or the control flow in a hardware or software component). Each of 
the inheritance relations yields a partial order that can be used to reason about 
a common super- or subclass of the variants. The Greatest Common Divisor 
(CCD) is the common superclass which preserves as much information about 
the OLCs as possible, i.e., it is not possible to construct a more detailed OLC 
which is also a superclass of all variants. The CCD describes the behavior all 
variants agree on. The Least Common Multiple (LCM) is the most compact OLC 
which is still a subclass of all variants. For each of the application domains men- 
tioned, there is a clear use for such concepts. Consider for example two similar 
software components. The CCD can be used to deduce what both components 
have in common; the LCM can be used to construct a generic component which 
can be used to replace the other two. Another example is the use of ad-hoc 
workflows. Workflow management systems such as InConcert (TIBCO) allow 
for case-specific variants of a workflow process. Both the CCD and the LCM of 
these variants can be used to generate meaningful management information j^. 

In this paper, we define the concepts of GCDs and LCMs based on the four 
inheritance relations mentioned earlier. Since none of them forms a (complete) 
lattice, a restrictive definition leads to situations where there is no CCD (LCM) 
and a more liberal definition leads to situations where there are multiple GCDs 
(LCMs). Both situations are undesirable. We tackle this problem by giving both 
more restrictive and more liberal definitions. For the latter, we use the terms 
Maximal Common Divisor (MCD) and Minimal Common Multiple (MCM). We 
use the Dedekind-MacNeille HD completion to turn an inheritance partial order 
into a complete lattice with virtual nodes. In such a lattice, each set of variants 
has a CCD and an LCM. However, they may correspond to a so-called virtual 
OLC. Although a virtual OLC cannot be represented by a single Petri net, it 
provides meaningful information on commonalities and differences. 

The paper is organized as follows. Section |2l introduces preliminaries. The 
behavioral-inheritance concepts are given in Section 0 The other sections deal 
with GCDs, LCMs, MCDs, and MCMs. Section 0 studies these notions in the 
context of life-cycle inheritance, the most general form of inheritance. In Sec- 
tion0 the results are extended to the three other notions of inheritance. Section^ 
uses the Dedekind-MacNeille completion to guarantee the existence of GCDs and 
LCMs. We conclude with some remarks on the application of our results. 



2 Preliminaries 

This section introduces the techniques used in the remainder. Standard def- 
initions for Petri nets are given. Moreover, more advanced concepts such as 
branching bisimilarity and OLCs are presented. 
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2.1 Labeled Place/Transition Nets 

We define a variant of the classic Petri-net model, namely labeled Place/Transit- 
ion nets. For an elaborate introduction to Petri nets, the reader is referred to m 
EHng. Let L be some set of action labels. These labels correspond to methods 
when modeling OLCs. 

Definition 2.1. (Labeled P/T-nets)0 An L-labeled Place/Transition net, or 
simply labeled P/T-net, is a tuple (P,T,F,£) where: 

1. P is a finite set of places, 

2. T is a finite set of transitions such that POT — 

3. P C (P X r) U (T X P) is a set of directed arcs, called the flow relation, and 

4. i : T ^ L is a, labeling function. 

A marked, L-labeled P/T-net is a pair (N,s), where N = (P,T,F,£) is an L- 
labeled P/T-net and where s is a bag over P denoting the marking of the net. 
The set of all marked, L-labeled P/T-nets is denoted Af. 

A marking is a bag over the set of places P, i.e., it is a function from P to 
the natural numbers. We use square brackets for the enumeration of a bag, e.g., 
[a^, b, c^] denotes the bag with two a-s, one b, and three c-s. The sum of two bags 
{X + Y), the difference {X — Y), the presence of an element in a bag (a G X), 
and the notion of subbags {X < Y) are defined in a straightforward way and 
they can handle a mixture of sets and bags. 

Transition labeling is needed for two reasons. First, a P/T-net modeling an 
OLC may contain several transitions referring to a single method (identified 
by the label) in the OLC. Second, we use transition labels as a mechanism to 
abstract from (internal) methods. For simplicity, we assume that transition labels 
are identical to transition identifiers unless explicitly stated otherwise. 

Let N = (P, T, F, £) be a labeled P/T-net. Elements of PUT are called nodes. 
A node x is an input node of another node y iff there is a directed arc from x 
to y (i.e., xFy). Node x is an output node of y iff yFx. For any x € P U T, 
• X = {y \ yFx} and x»= {y \ xFy}; the superscript N may be omitted if clear 
from the context. 

The dynamic behavior of marked, labeled P/T-nets is defined by a firing 
rule. 

Definition 2.2. (Firing rule) Let (TV = {P,T, F,£), s) be a marked, labeled 
P/T-net. Transition t G T is enabled, denoted (TV, s)[t), iff < s. The firing rule 
_ _ C Af X L X Af is the smallest relation satisfying for any (TV = (P, T, F, £),s) G 
Af and any t €T, (TV, s)[t) => (TV, s) [£{t)) (TV, s — •t + tu). 

A transition firing is also referred to as an action. 

^ In the literature, the class of Petri nets introduced in Definition Q is sometimes 
referred to as the class of (labeled) ordinary P/T-nets to distinguish it from the 
class of Petri nets that allows more than one arc between a place and a transition. 
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Definition 2.3. (Reachable markings) Let {N, sq) be a marked, labeled P/T- 
net in Af. A marking s is reachable from the initial marking sq iff there exists 
a sequence of enabled transitions whose firing leads from sq to s. The set of 
reachable markings of {N,sq) is denoted [A^, sq)- 

Definition 2.4. (Connectedness) A net N = (P,T,F,£) is weakly connected, 
or simply connected, iff, for every two nodes x and y in P U T, x{F U F~^)*y, 
where R~^ is the inverse and R* the reflexive and transitive closure of a relation 
R. Net N is strongly connected iff, for every two nodes x and y, xF*y. 

We assume that all nets are weakly connected and have at least two nodes. 

Definition 2.5. (Boundedness, safeness) A marked net (TV = {P,T,F,£),s) 
is bounded iff the set of reachable markings [A^, s) is finite. It is safe iff, for any 
s' S [A^, s) and any p G P, s'{p) < 1. Note that safeness implies boundedness. 

Definition 2.6. (Dead transitions, liveness) Let {N = {P,T, F,l), s) be 
a marked, labeled P/T-net. A transition t G T is dead in (N,s) iff there is 
no reachable marking s' G [N, s) such that {N,s')[t). {N,s) is live iff, for every 
reachable marking s' G [Al, s) and t G T, there is a reachable marking s" G [N, s') 
such that {N,s")[t). Note that liveness implies the absence of dead transitions. 



2.2 Branching Bisimilarity 

To formalize the inheritance concepts in this paper, we need a notion of equiva- 
lence. We choose branching bisimilarity [13 as the standard equivalence relation. 
The notion of a silent action is pivotal to branching bisimilarity. Silent actions, 
denoted with the label r, are actions that cannot be observed. Thus, only the 
firings of transitions of a P/T-net with a label different from r are observable. 
We distinguish successful termination from deadlock. A termination predicate 
C Af defines in what states a marked net can terminate successfully. A marked 
net that cannot perform any actions or terminate successfully is in a deadlock. 

We need two auxiliary definitions: (1) a relation expressing that a marked net 
can evolve via zero or more r actions into another marked net; (2) a predicate 
expressing that a marked net can terminate via zero or more t actions. 

Definition 2.7. The relation _ =4> _ C Afx Af is defined as the smallest relation 
satisfying, for any p,p' ,p" G 7\f, p => p and {p ==^ p' A p' [r) p") p p". 
The predicate IJ. _ C Af is defined as the smallest set of marked, labeled P/T-nets 
satisfying, for any p,p' G Af, (Ip and ((Ip A p' [r) p) (Ipf 

For any two marked, L-labeled P/T-nets p,p' G Af and action a G L, p [(a)) p' 
is an abbreviation of (a = r A p = p') V p [a) p'. Thus, p [(r)) p' means that zero 
r actions are performed, when the first disjunct is satisfied, or that one r action 
is performed, when the second disjunct is satisfied. For any observable action 
a G L \ {r}, the first disjunct of the predicate can never be satisfied. Hence, 
p [(o)) p' simply equals p [a) p' , meaning that a single a action is performed. 



36 



W.M.P. van der Aalst and T. Basten 



Definition 2.8. (Branching bisimilarity) A binary relation TZ C J\f x Af is 

called a branching bisimulation if and only if, for any q,q' € Af and a € L, 

1. pTZqAp[a)p' ^ (3q',q" : q',q''€Af: q q" Aq" [{a)) q' ApTZq" Ap'TZq'), 

2. pTZqAq[a)q' ^ {3p\p" : p',p”€Af: p p” Ap" [{a)) p' Ap''Tlq Ap'TZq'), 

3. pTZq ^ (IgAiq ^ JJ-p). 

Two marked, labeled P/T-nets are called branching bisimilar ^ denoted p^h q, if 
and only if there exists a branching bisimulation TZ such that pTZq. 

Branching bisimilarity is an equivalence relation on Af, i.e., is reflexive, 
symmetric, and transitive (see |Z] for a detailed proof). 



2.3 Object Life Cycles 

Petri nets allow for the graphical representation of OLCs with an explicit repre- 
sentation of states and a clear definition of the initial (object creation) and final 
(object termination) state. OLCs correspond to the diagrams used in object- 
oriented methods (e.g., statechart diagrams in UML cni), process definitions 
used by workflow management systems [1311, reference models used in ERP 
systems (e.g., EPCs used by SAP C3), and trade procedures as defined in nni. 

Definition 2.9. (Object life cycle) Let N = {P,T,F,£) be an L-labeled P/T- 
net and t a fresh identifier not in P U T. N is an object life cyele (OLC) iff: 

1. object creation: P contains an input place i such that = 0, 

2. object completion: P contains an output place o such that o» = 0, 

3. connectedness: N = (P, T U {t}, P U {(o, t), (t, z)}, £ U {(t, r)}) is strongly 
connected, 

4. safeness: {N, [z]) is safe, 

5. proper completion: for any marking s G [iV, [i]), o G s implies s = [o], 

6. option to complete: for any marking s G [N, [z]), [o] G [N, s), and 

7. absence of dead methods: {N, [z]) contains no dead transitions. 

The set of all OLCs is denoted O. 

An OLC satisfies seven requirements. First, an OLC has one place i without any 
input transitions. A token in z corresponds to an object which is created, i.e., at 
the beginning of its life cycle. Second, an OLC has one place o without output 
transitions. A token in o corresponds to an object that is destroyed. Third, an 
OLC should not have “dangling” transitions and/or places. Thus, every node of 
an OLC should be located on a path from z to o. This requirement corresponds 
to strongly connectedness if o is connected to z via an additional transition i. The 
net N used to formulate the connectedness constraint is called the short-circuited 
net. The label of the new transition is not important and simply set to r. The 
fourth requirement says that an OLC is safe. This is a reasonable assumption 
since places in an OLC correspond to conditions which are either true (marked 
by a token) or false (empty). The fifth requirement states that the moment a 
token is put into o all the other places should be empty, which corresponds 
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to the completion of an OLC without leaving dangling references. The sixth 
requirement states that starting from the initial marking [f] it is always possible 
to reach the marking with one token in o, which means that it is always feasible 
to complete the OLC. The last requirement implies that for each transition there 
is a scenario in which the transition is performed. 

The notion of an OLC is strongly related to the notion of a sound workflow net 
05. A workflow net also describes the life cycle of one object, often called a case 
or a workflow instance. The applicability of the results in this paper transcends 
workflow management. Therefore, we prefer the term object life cycle (OLC). 
Since transition labels in OLCs correspond to methods, we also use the term 
“method” implicitly for transitions. 

The last four requirements in Definition 1^21 coincide with liveness and safe- 
ness of the short-circuited net 0. Thus, we can use standard techniques for 
checking the life-cycle requirements. Our tool Woflan 031 has been specifically 
designed to analyze the requirements stated in Definition tl.qi 

We introduced branching bisimilarity as the standard equivalence. Recall 
that branching bisimilarity distinguishes successful termination and deadlock. 
An OLC can only terminate successfully in marking [o] . 

Definition 2.10. The class of marked, labeled P/T-nets Af is equipped with 
the following termination predicate: f = {{N, [o]) \ N G O }. 

Definition 2.11. (Behavioral equivalence of OLCs) For OLCs Nq and 
in O, Nq ^ Ni if and only if {Nq, [i]) -t, (A^i, [i]). 

The set of visible actions that an OLC can perform is called the alphabet of the 
OLC. Since an OLC does not have any dead transitions, its alphabet simply is 
the set of its transition labels excluding silent action r. 

Definition 2.12. (Alphabet) For any OLC N = (P,T,F,£) in O, its alphabet 
a{N) equals {£{t) \tGTA £{t) yf r}. 

3 Inheritance 

In this section, we define four behavioral-inheritance relations for OLCs. For a 
detailed motivation and an overview of related work, we refer to jSj- Consider 
two OLCs X and y. When is a; a subclass of yl Intuitively, one could say that x 
is a subclass of y iff a: can do what y can do. Clearly, all methods of y should 
also be present in x. Moreover, x will typically add new methods. Therefore, it is 
reasonable to demand that x can do what y can do with respect to the methods 
present in y. With respect to new methods (i.e., methods present in x but not in 
y), there are basically two mechanisms which can be used. The first one simply 
disallows the execution of any new methods. 

If it is not possible to distinguish the behaviors of x and y when only methods 
of X that are also present in y are executed, then x is a subclass of y. 
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This definition conforms to Mocking methods new in x. The resulting inheritance 
concept is called protocol inheritance; x inherits the protocol of y. 

Another mechanism would be to allow for the execution of new methods but 
to consider only the effects of old ones. 

If it is not possible to distinguish the behaviors of x and y when arbitrary 
methods of x are executed but when only the effects of methods that are also 
present in y are considered, then x is a subclass of y. 

This inheritance notion is called projection inheritance; it conforms to hiding 
methods new in x. This can be achieved by renaming these methods to the 
silent action r. 




No N, N, A/3 N, 

Fig. 1. Five object life cycles. 



Although the distinction between the two inheritance mechanisms may seem 
subtle, the corresponding inheritance notions are quite different. To illustrate 
this, we use the five OLCs of Figure Q 1 Nq corresponds to a sequential OLC 
consisting of three methods a, b, and c. Each of the other OLCs extends Nq 
with one additional method. In Ni, method d can be executed instead of b. Ni 
is a subclass of Nq under protocol inheritance; if d is blocked, is equivalent 
to Nq. Ni is not a subclass of Nq under projection inheritance, because it is 
possible to skip method b by executing the (hidden) method d. In N2, method 
e can be executed arbitrarily many times between a and b. N2 is a subclass 
of A^o under protocol inheritance; if e is blocked, then N2 equals Nq. N2 is 
also a subclass of Nq under projection inheritance; if every execution of e is 
hidden, then N2 is equivalent (as defined in Definition I'/!. I III to Nq. In OLC Nq, 
method / is executed in parallel with b. Nq is not a subclass of Nq under protocol 
inheritance; if / is blocked, then c cannot be executed. However, Nq is a subclass 
of Nq under projection inheritance. If one hides the newly-added method /, one 
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cannot distinguish N3 and Nq. Method g is inserted between a and b in the 
remaining OLC A^ 4 . N4 is not a subclass of Nq under protocol inheritance; if g is 
blocked, the OLC deadlocks after executing a. However, N4 is a subclass of Nq 
under projection inheritance. If one hides g, one cannot observe any differences 
between the behaviors of N4 and Nq. 

The two mechanisms (i.e., blocking and hiding) result in orthogonal inheri- 
tance notions. We also consider combinations of the two. An OLC is a subclass 
of another OLC under protocol/projection inheritance iff both by hiding the new 
methods and by blocking the new methods one cannot detect any differences, 
i.e., it is a subclass under both protocol and projection inheritance. In Figure Q 
N2 is a subclass of Nq under protocol/projection inheritance. The two mecha- 
nisms can also be used to obtain a more general form of inheritance. An OLC 
is a subclass of another OLC under life-cycle inheritance iff by blocking some 
newly-added methods and by hiding some others one cannot distinguish them. 
All OLCs in Figure [Dare subclasses of Nq under life-cycle inheritance. 

To formalize the inheritance relations, we define two operators on P/T-nets: 
encapsulation for blocking and abstraction for hiding methods. They are inspired 
by the encapsulation and abstraction operators from process algebra jOlIl 

Definition 3.1. (Encapsulation) Let N = {P,Tq, Fq,Iq) be an L-labeled 
P/T-net. For any H C L \ {r}, the encapsulation operator dn is a func- 
tion that removes from a given P/T-net all transitions with a label in H. 
Formally, dniN) = (P,Ti, Fi,£i) such that Ti = {t G Tq \ £o{t) ^ H}, 
Fi = FqH ((P X Ti) U (Ti X P)), and £i=£on (Ti x L). 

Note that removing transitions from an OLC as defined in Definition 12.91 might 
yield a P/T-net that is no longer an OLC. 

Definition 3.2. (Abstraction) Let N = {P,T, F,£q) be an P-labeled P/T-net. 
For any I Q L \ {r}, the abstraction operator tj is a function that renames all 
transition labels in I to the silent action r. Formally, t/(A) = {P,T, F,£i) such 
that, for any t GT, ^o(t) G / implies t'i(f) = r and ^o(^) ^ I implies £i{t) = £Q{t). 

The formal definitions of the four inheritance relations are slightly more general 
than the informal definitions given above: An OLC is a subclass of another OLC 
if and only if there exists some set of methods such that encapsulating or hiding 
these methods in the first OLC yields the other OLC. Not requiring that the 
methods being encapsulated or hidden must be exactly the newly-added methods 
can sometimes be convenient. In it is shown that the formal and informal 
definitions are equivalent. Recall Definition (branching bisimilarity, ~t,). 

Definition 3.3. (Inheritance relations) 

1. Protocol inheritance'. For any OLCs Nq and Ni in O, OLC Ni is a subclass of 
Nq under protocol inheritance, denoted A^i<pt A/), iff there is an P C L\{r} 
such that (dniNi), [i]) (Nq, [f]). 

^ Note that the terms “abstraction” and “encapsnlation” in process algebra have a 
different meaning than the same terms in object-oriented design. In this paper, they 
always refer to the process-algebraic concepts. 
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2. Projection inheritance: For any OLCs Nq and Ni in O, OLC is a subclass 

of Nq under projection inheritance, denoted <pj Nq, iff there is an / C 
L \ {r} such that (r/(iVi), [i]) (A^o, W)- 

3. Protocol/projection inheritance: For any OLCs Nq and in O, OLC Ni is a 
subclass of Nq under protocol/projection inheritance, denoted <pp Nq, iff 
there is an iL C L\{t} such that (dniNi), [z])~b(iVo, [i]) and an I C L\{t} 
such that (t-7(7Vi), [i]) (Nq, [i]). 

4. Life-cycle inheritance: For any OLCs Nq and Ni in O, Ni is a subclass of Nq 
under life-cycle inheritance, denoted <ic Nq, iff there are an I C L \ {r} 
and an H C L \ {r} such that I D H — 9 and (t/ o dniNi), [i]) (Nq, [i]). 

Note that for life-cycle inheritance the new methods are partitioned into two sets 
H and /: methods that are blocked by means of the operator Oh and methods 
that are hidden by means of tj. It is easy to see that protocol/projection inheri- 
tance implies both protocol and projection inheritance. Moreover, both protocol 
and projection inheritance imply life-cycle inheritance. However, life-cycle inher- 
itance does not imply protocol or projection inheritance. 

The inheritance relations have a number of desirable properties. First, they 
are preorders (i.e., they are reflexive and transitive; see Property 6.19 in jS|). 
Furthermore, if one OLC is a subclass of another OLC under any of the four 
inheritance relations and vice versa, then the two OLCs are equivalent as defined 
in Definition L!. I ll ti.e.. the two OLCs are branching bisimilar; see Property 6.21 in 
0). In other words, the four inheritance relations are anti-symmetric. A relation 
that is reflexive, anti-symmetric, and transitive is a partial order. 

Property 3.4. Assuming =, as defined in Definition 12. 1 1 1 as the equivalence on 
OLCs, <ic, <pt, ^pji and <pp are partial orders. 

4 GCDs and LCMs under Life-Cycle Inheritance 

Each of the four notions of inheritance provides a partial ordering on OLCs. This 
inspired us to investigate whether it is possible to define the notions of a Greatest 
Common Divisor (CCD) and a Least Common Multiple (LCM) for sets of OLCs. 
In this section, we restrict ourselves to life-cycle inheritance (Definition l.'I.,SI4j) . 
In Section El we consider the other three inheritance notions. We use the term 
variant for an OLC in a set of OLCs. The idea is that the CCD should capture 
the commonality of the variants, i.e., the part where they agree on. The LCM 
should capture all possible behaviors of all the variants. Consider for example 
the five OLCs of Figure D The CCD of these OLCs should be Nq. All the OLCs 
execute a, b, and c in sequential order. Each of the five variants is a subclass of 
Nq and it is not possible to find a different OLC that is also a superclass of Nq 
through N 4 and at the same time a subclass of Nq. Figure 0 shows Nggd = Nq 
as the CCD of the five OLCs of Figure 0 It also shows the OLC N^cm- N^cm 
is a subclass of each of the five variants considered. Moreover, it is not possible 
to find a different OLC which is also a subclass of Nq through N 4 and at the 
same time a superclass of Nlcm- Thus, Nlgm is a good choice for the LCM of 
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Nq through A^ 4 . Any sequence of transition firings generated by one of the five 
OLCs can also be generated by N^cm after the appropriate abstraction. 




Fig. 2. The CCD and the LCM of the five OLCs shown in Figure 0 



To formalize the GCD and LCM concepts, we need some partial-order theory. 
Definition 4.1. (Lattices) Let {Q, <) be a partial order; let S' C Q and q G Q. 

1. q is an upper bound of S iff s < g for all s G S; 

2. St = {x G Q I (Vs:sGS:s< a;)} is the set of all upper bounds of S; 

3. q is a lower hound of S iff q < s for all s G S; 

4. St = {x G Q I {y s : s G S : X < s)} is the set of all lower bounds of S; 

5. q is the least upper bound (lub) of S iff q is an upper bound of S and q < s 
for all s G St; 

6. q is the greatest lower hound (gib) of S iff q is a lower bound of S and s < q 
for all s G St; 

7- (Q, <) is a lattice iff any pair of elements in Q has a lub and a gib; 

8- (Q, <) is a complete lattice iff any subset of Q has a lub and a gib. 

We are not interested in distinguishing OLCs that are branching bisimilar. That 
is, we consider equivalence classes of OLCs under behavioral equivalence (Def- 
inition ETTt . The set of all equivalence classes is denoted 0/^. We can lift 
life-cycle inheritance (<k) to O/s resulting in the partial order (0/s,<zc)- For 
convenience, we refer to elements of O as OLCs. 

Definition 4.2. (MCD/GCD, MCM/LCM) Consider the inheritance par- 
tial order Let S C O/si he a, set of OLCs. 

1. OLC iV is a Maximal Common Divisor (MCD) of S iff (a) it is an upper 
bound of S (i.e., N G S^) and (b) for all N' G 5^, N' <w N implies that N' 
equals N (i.e., it is minimal in S't). 
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2. OLC N is the Greatest Common Divisor (GCD) of S iff it is the lub of S. 

3. OLC is a Minimal Common Multiple (MCM) of S iff (a) N G S'^ and (b) 
for all N' G 5’"*', N <ic N' implies that N' equals N. 

4. OLC N is the Least Common Multiple (LCM) of S iff it is the gib of S. 

Note that the notions of an MCD and a CCD (an MCM and an LCM) coincide 
if (0/ai,<ic) is a complete lattice. On a first reading, Definition IQ might be 
counterintuitive: An MCD is required to be a superclass of the OLCs in S, 
whereas an MCM is a subclass of the OLCs in S. It may be more intuitive to 
consider the size of the OLCs as determined by the numbers of their methods. If 
Nmgd is an MCD of two OLCs TVg and iVi, then Nmcd typically contains fewer 
methods than Nq and iVi, which conforms to the intuitive notion of an MCD. 
Similarly, if Nmcm is an MCM of A^o and iVi, then Nmcm typically contains 
more methods than Nq and A^i. Moreover, although it is straightforward to 
show that any MCM is a subclass under life-cycle inheritance of any MCD {<ic 
is transitive ('Pronertv l.4.4|) L an MCM is typically larger than an MCD in terms 
of their numbers of methods. Consider for example the OLCs of Figure 0 By 
Definition Ol Nccd is an MCD of the OLCs of Figure0and Nlcm is an MCM 
of these OLCs. Although Nlcm<IcNgcd, Nlcm bas more methods than Ngcd- 
Definition Wl\ raises two interesting questions: 

1. Has any set of OLCs always at least one MCD and at least one MCM? 

2. Has any set of OLCs a CCD and an LCM (i.e., is {0/^,<ic) a complete 
lattice)? 

We show that the answer to the first question is (almost always) affirmative. 
Unfortunately, the answer to the second question is negative. 

The following two properties are needed. The first one is straightforward. 

Property 4.3. Let Nj- be the OLC containing one method labeled r: W- = 
({z,o},{t}, {(i, t), (t, o)}, {(t, t)}). Nr is a superclass under life-cycle inheri- 
tance of any OLC, i.e., it is an upper bound of O in (O/s, <ic)- 

A set of totally ordered (according to <ic) OLCs is called a chain. 

Property 4.4. Let Nq and be two OLCs in such that Nq <ic Ni. There 
is no infinite chain <ic N^ <ic ■ ■ ■ of different OLCs N^, N^, ■ ■ ■ G O such 
that No <ic N° <i, <1^... <ie iVi. 

Proof. Let N and N' be two OLCs with N <ic N' . The following three obser- 
vations are important. First, a{N') C a{N). Second, if N and N' are different, 
then a(N') C a{N). Third, a{N) \ a{N') is finite. 

Let 7V° <ic N^ <ic ... be an infinite chain of different OLCs , N^ , . . . 
such that iVo <ic N° <ic N^ <ic ■ ■ ■ <ic Ni. It follows from the first two of the 
above observations that a(?Vi) C ... c a{N^) C a{N^) C a{No). The third 
observation above states that a{No) \ a{Ni) is finite, yielding a contradiction. 

□ 

It follows immediately from the previous two properties that any non-empty 
set of OLCs has an MCD. The empty set does not have an MCD because O 
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is infinite and does not have minimal elements. Any finite set of OLCs has an 
MCM. First, OLC Nr of Pronertv 14.31 is an MCM of the empty set. Second, 
consider a non-empty finite set {Nq,Ni, . . . ,Nn-i} of n OLCs. Let Nq be the 
OLC that is constructed from the variants as follows. The source place i of 
Ng has n output transitions, one for each variant. Each of them has a unique 
method label that does not occur in the alphabets of any of the variants. The 
source place of each variant is given a new identifier and connected as an output 
place to one of the n new transitions. In this way, the new transitions act as 
guards for the n original variants. The sink places of the n variants are simply 
fused together, yielding the sink place o of Ng. Clearly, Ng is a subclass of each 
variant; by blocking all new transitions except one which is hidden, one obtains 
an OLC branching bisimilar to one of the variants. Based on Property 14.41 we 
may conclude that an MCM of the n variants exists. The above deliberations 
lead to the following theorem, answering the first question posed above. 

Theorem 4.5. (Existence of an MCD and an MCM) Let S C O he & 
set of OLCs. If S is non-empty, it has an MCD; if S is finite, it has an MCM. 



[M I4] 



Ns 



As already mentioned, the answer to the second question posed above is negative. 
A set of OLCs may have two or more different MCDs, which means that it has 
no CCD. Similarly, a set of OLCs may have two or more different MCMs and, 
thus, no LCM. Consider OLCs N4 and N^ of Figure 0 They have at least two 
MCDs. It is easy to verify that both OLC N2 and OLC A3 are MCDs of A4 






Fig. 3. Seven object life cycles. 
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and -/V 5 . Each one is a superclass of both N 4 and and, in both cases, there 
is not a smaller (according to <ic) candidate. Similarly, the two OLCs N 2 and 
in Figure 13 have more than one MCM. Each of the OLCs N 4 , N^, and Nq is 
an MCM of N 2 and N 3 . Note that hiding method c in any of the OLCs A^ 4 , N^, 
and Nq yields an OLC equivalent to N 2 - Hiding method b in any of the OLCs 
N 4 , Nq, and Nq yields an OLC equivalent to Nq. Clearly, in each case, there is 
no larger candidate. 

Based on the examples in Figure 0 we conclude that a given set of OLCs can 
have several MCDs and MCMs. The reason that there is not a CCD for N 4 and 
Nq is that they do agree on the presence of the methods b and c, whereas they 
do not agree on their ordering. The reason that there is not an LCM for N 2 and 
Nq is that there are several ways to add methods b and c to a common subclass. 
However, in many situations, there is one unique MCD, which is therefore the 
CCD, and one unique MCM, the LCM. For example, the five variants shown 
in Figure [Dhave a CCD and an LCM, namely the nets Nqcd and N^qm of 
Figure El respectively. There are situations where it is quite easy to pinpoint 
the CCD and/or the LCM of a set of OLCs. If the set forms a chain, i.e., the 
OLCs are totally ordered according to the <ic relation, then the least element 
is the LCM and the greatest element is the CCD. Second, if one OLC is a 
superclass of all the other OLCs, then this variant is the CCD. Note that the 
five OLCs of Figured satisfy this requirement. Third, if one OLC is a subclass 
of all the other variants, then this OLC is the LCM. Fourth, if two variants have 
no methods in common, then the CCD equals the empty OLC Nj- of Property 
14.111 Finally, if the OLCs have nothing in common (i.e., with respect to internal 
places, transitions, and labels) and always start with a real method (i.e., a non- 
r-labeled transition), then the LCM is simply the union of all OLCs (where the 
union means the element-wise union of the tuples defining the OLCs). 

Property 4.6. Let Nq,Ni, . . . ,Nn-i, with n a positive natural number, be n 
OLCs. 

1. li Nq <ic Ni <ic ■ . ■ <ic Nn-i, then Nq is the LCM and N^-i is the CCD of 
Nq, . . . , Nn-l- 

2. If, for all k with 0 < k < n, N/. <i^ Nq, then Nq is the CCD of Nq, . . . , N^-i- 

3. If, for all k with 0 < k < n, Nq <h, Nj., then Nq is the LCM of Nq,. . . , N^-i. 

4. If, for some j and k with 0 < j < k < n, a{Nj) O a{Nk) = 0, then N^ of 
Property H.3I is the CCD of Nq,. .. , N^-i. 

5. If, for all j and k with 0 < j < k < n, a{Nj)r\a{Nk) = 0 and {PjUTj)r\{PkU 
T}^) = {i, 0 } and, for all k with 0 < k < n and all transitions t G , t has a 
label different from r, then Nq = Uo<fe<n is the LCM of A^o> • ■ ■ ) Nn-i. 
(Note the similarity between Nq in this property and Nq as defined before 
Theorem 14.51 1 

Proof. The first three properties follow immediately from Definitions 14. 1 1 
and 14.1^1 

To prove the fourth property, let N' be an arbitrary superclass of No, A^i, . . . , 
Nn-i- Consider two variants Nj and Nk, with 0 < j < k < n, such that a{Nj) fl 
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a{Nk) = 0 . Since Nj <ic N', it follows that a{N') C a{Nj); similarly, a{N') C 
a(Nk). Hence, it follows that a(N') C a{Nj) fl a{Nk) = 0 , which means that 
a{N') = 0 . Consequently, N' equals N^., which means that is the GCD of 
the set of variants Nq through Nn-i- 

To prove the last property, we first show that Ng is a subclass of each of the 
variants. Consider a variant Nk, for some k with 0 < k < n. Since for all j with 
0 < j < n and j yf k, a{Nj) fl a{Nk) — 0 , {Pj U Tj) fl (Pk U Tk) = {i, o}, and 

N • 

all transitions t G i • have a label different from r, blocking all transitions in 
in Ng, yields a marked net branching bisimilar to Nk- Hence, Ng<icNk, 
which means that it is a subclass of all n variants. Second, we prove that any 
OLC N' that is a subclass of all the variants is also a subclass of Ng. Assume 
that TV is a subclass of all variants. Let, for all k with 0 < fc < n, and H/. 
be sets of method labels such that (r/^, odn^iP^'), W) {Nk, [f]) (see Definition 
1^30 (Life-cycle inheritance)). Let I = Uo<fc<n and H = Uo<fe<n Clearly, 
(r/o9^(iV'), [i])~t,(A^ 9 , [z]), because each label in iL or / appears in the alphabet 
of precisely one of the n variants. Hence, N'<icNg. Combining the results derived 
so far yields that Ng is the LCM of the set of variants Nq through □ 

5 How about the Other Three Notions of Inheritance? 

The results presented in Section 01 are restricted to life-cycle inheritance. In this 
section, we explore the other three notions of inheritance. First, we define the 
concepts MCD, MCM, GCD, and LCM for each of the four notions of inheritance. 

Definition 5.1. (MCD,, MCM,, GCD,, and LCM,) Let S be some set of 
OLCs in OLC N is an MCD,, MCM,, GCD,, or LCM, of S in (0/s,<,) 
with * G {pt, pj,pp, Ic} iff the corresponding requirement stated in Definition 14.21 
holds with respect to the corresponding notion of inheritance. 

Note that MCDjc, MCMjc, GCDjc, and LCMjc coincide with the concepts intro- 
duced in Section 0 As an example of this definition, consider the five variants 
of Figure □ It is easy to see that A^o is the GCD^y of {A^ 2 , TV 3 , N 4 }, the GCD^t 
of {A^i,TV 2 }, and the GCDpp of {A^o,-^ 2 }- 

The questions raised in previous section arise again: Do MCD,, MCM,, 
GCD,, and LCM, exist for * G {pt,pj,pp, lc}l 

In Theorem l4.5l it has been shown that any non-empty set of variants always 
has an AlCD/f,. Properties o and l4.4l carrv over to projection inheritance. Thus, 
we arrive at the following theorem. 

Theorem 5.2. (Existence of MCDpj) Any non-empty set of OLCs S Q O 
has an MCDpy in (G/s, <pj). 

An MCDpj of the five variants of Figure [His the sequential OLC containing just 
the methods a and c. Note that A”o is not an MCDp^ , because in N^ it is possible 
to bypass b, i.e., Ngcd of Figure[3is not an MCD under projection inheritance. 

Unfortunately, MCDpt, MCDpp, MCMpy, MCMpt, and MCMpp are not guar- 
anteed to exist. We use the variants shown in Figure0to give counterexamples. 
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Consider Nq and Ni. There is no MCD^t for these two variants. Suppose 
that N is an MCDpt of the set {Nq,Ni}. N should be a superclass of both Nq 
and under protocol inheritance. This implies that the alphabet of is a 
subset of the intersection of the alphabets of Nq and iVi . Since the alphabets of 
these two variants are disjoint, the alphabet of N is the empty set. There is just 
one OLC (modulo branching bisimilarity) that has the empty alphabet. This is 
OLC Nr of Property tf.dl However, Nq is not a subclass of Nr with respect to 
protocol inheritance because encapsulating method a does not yield Nr - (In fact, 
encapsulating a does not yield an OLC.) Therefore, there cannot be an MCD^j 
for OLCs Nq and Ni of Figure 0 It follows immediately from the definition of 
protocol/projection inheritance (Definition ^30 that this example also implies 
that MCDpp does not always exist. 

To prove that there may be sets of OLCs for which there is no MCMp^ , we use 
the variants N 4 and Nq of Figure 0 Suppose that iV is a subclass of both N 4 and 
Nq under projection inheritance. The alphabet of N will include {a, 6, c, d}. Let 
I be the set of methods in N but not in N4 and Nq, i.e., I = a{N) \ {a, b, c, d}. 
By the definition of projection inheritance, we find that (ti{N), [*]) {N4, [z]) 

and (r/(iV), [z]) {Nq, [z]). Hence, since is an equivalence, N 4 = Nq; that 
is, the two variants are equivalent modulo branching bisimilarity. Clearly, this 
is a contradiction. Therefore, 7 V 4 and Nq cannot have a common subclass under 
projection inheritance. As a result, they have no MCMp^. It follows immedi- 
ately from the definition of protocol/projection inheritance that there is also no 
MCMpp for N4 and Nq. 

It remains to be shown that an MCMp* does not necessarily exist. Consider 
the set S of OLCs {A^ 3 ,iV 4 }. Assume that TV is a subclass of Nq and N 4 un- 
der protocol inheritance. Clearly, a{N) is a superset of {a,b,c,d}. Let H be 
a{N) \ {a,b,c,d}; that is, H contains the methods added to N 4 to obtain N, 
whereas H U {5} contains the methods added to Nq to obtain N. It follows 
from the definition of protocol inheritance that (dniN), [z]) {N 4 , [z]) and that 

{dnu {&} (-^)i W) {Nq, [z]) . The definition of branching bisimilarity implies that 
{Nq, [f]) -b {dHu{b}{N), H) ^b (9{b}(5iz(7V)), [z]) { 8 {q}{N 4 ), [f]). The latter is 

the process that can only execute an a and then deadlocks. This is clearly not 
branching bisimilar to Nq. Hence, we have again a contradiction, showing that 
Nq and N4 cannot have a common subclass under protocol inheritance. This, in 
turn, implies that {Nq, Afj} does not have an MCMp^. 

The counterexamples given show that MCDp^, MCDpp, MCMpj, MCMp^, 
and MCMpp are not guaranteed to exist. Consequently, also GCDpt, GCDpp, 
LCMpj, LCMpt, and LCMpp may not exist for a given set of variants. In the 
previous section, it has already been shown that GCDjc and LCMjc do not need 
to exist. An argument similar to the one used in the previous section shows 
that N4 and Nq in Figure 0do not have a GCDpj. Thus, also GCDp^ does not 
necessarily exist. 

It remains to generalize Pror)ertv l4.6l to the other notions of inheritance. The 
proof is omitted because it is similar to the proof of Property 14.61 
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Property 5.3. Let Nq, iVi, . . . , with n some positive natural number, be 

n OLCs and let * G {pt, pj , pp, Ic}. 

1. If iVo <* iVi <* . . . <* Nn-i, then Nq is the LCM* and is the GCD* 

of Nq, . . . , 

2. If, for all k with 0 < k < n, Nk <* Nq, then Nq is the GCD* of Nq, . . . , Nn-\. 

3. If, for all k with 0 < k < n, Nq Nf^, then Nq is the LCM* of Nq, . . . , N^-i- 

4. If, for some j and k with 0 < j < k < n, a{Nj) fl a{Nk) = 0, then N^ of 
Property H. 31 is the GCDpj and the GCDjc of Nq, . . . ,Nn-i- 

5. If, for all j and k with 0 < j < k < n, a{Nj) fl a{Nk) = 0 and {Pj U Tj) fl 
(Pfc U Tk) = {i, o} and, for all k with 0 < k < n and all transitions t G , 
t has a label different from r, then Ng = Uo<fe<n is the LCMpt and the 
LCM,, of 

6 Virtual OLCs and the Dedekind-MacNeille Completion 

As we have seen, each of the four inheritance relations provides a partial order 
on OLCs but none of these orders is a (complete) lattice. If the inheritance 
relations would have been complete lattices, there would have been a GCD and 
an LCM for any set of OLCs under any of the inheritance relations. It does 
not make any sense to try to modify the inheritance relations into lattices. The 
four relations have been carefully chosen and any attempt to transform them into 
lattices would reduce their applicability. If a set of OLCs has no GCD/LCM, one 
could settle for an MCD/MCM. However, also the MCD/MCM do not always 
exist, particularly for the more restrictive forms of inheritance. Fortunately, the 
Dedekind-MacNeille completion ITtITT] can be used to extend the inheritance 
partial orders to complete lattices. The Dedekind-MacNeille completion provides 
the smallest complete lattice that embeds a given partial order. 

We illustrate the concepts of this section using the seven OLCs shown in 
Figure a). Transitions without a label correspond to r-labeled transitions (i.e., 
silent steps). Figure 21)b) shows the ordering relations between these OLCs under 
life-cycle inheritance. An OLC N is a, superclass of OLC iV' (i.e., V<,,7V) if and 
only if there is a path of downward going lines from N to TV'. The unconnected 
line segments illustrate that the seven depicted OLCs form only a part of the 
larger partial order (0/s,<,c)- Note that each element in the partial order in 
fact corresponds to an equivalence class of OLCs modulo branching bisimilarity. 

Consider the set S of OLCs {Nq,Ni,N 2 }. The elements of S are all upper 
bounds of the OLC sets Sq = {^ 3 ,^ 4 } and Si = {Nq, N^, N^, Nq}-, it is not 
difficult to see that Sq^ = = S (see Definition 14. 111 . Sq and S'! have no lub, 

because Ni and N 2 are incomparable under life-cycle inheritance. In terms of 
Definition 14.21 ('MCD/CCD. MCM/LCM), Ni and N 2 are MCDs of Sq and Si, 
but Nq is not; moreover, Sq and Si have no GCD. Similarly, Nq,N 4 ,Nq, and 
Nq are lower bounds and MCMs of the OLCs in S, whereas S has no gib or 
LCM. The reason for all this is that Nq, N 4 , Nq, and Nq agree on the presence 
of methods a and b but not on their ordering. 

Essential in the Dedekind-MacNeille completion is the notion of cuts. 
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(a) Seven object life cycles 



Ne 





(c) After completion 



Fig. 4. Seven OLCs and their ordering under life-cycle inheritance before and after 
completion. 

Definition 6.1. (Cut) Let (Q,<) be a partial order and A,BCQ. (A,B) is a 
cut of Q if and only if A”'" = i? and A = B^. 

Consider Figure 0 (b). It is easy to see that {{N3, N^, N5,Nq, . . .}, {Nq, Ni,N2}) 
is a cut , where the dots represent the subclasses of N^, N4, N^, and Nq not shown 
in the figure; the pair {{Nq, N4, Nq, Nq, . . .}, .^1}) is not a cut. 

We need one more definition to formalize the Dedekind-MacNeille comple- 
tion. 

Definition 6.2. (Order-isomorphy) Partial orders {Q, <) and {Q', <') are 
order-isomorphic iff there exists a bijective function (j) : Q ^ Q' such that, for 
a.ny x,y G Q, X < y iff cl>{x) <' cj){y). 

Theorem 6.3. (Dedekind-MacNeille completion [17 llj i Let (Q,<) be a 
partial order. Let {Q^, <‘^) be the partial order with the set of all cuts of Q 
and <'^ the ordering such that, for any {Ai,Bi) and (A2, B2) in (Ai, i?i) 
(A2,i?2) iff Ai C A2. Order (Q'^, <‘^) is the smallest complete lattice containing 
an ordered subset that is order-isomorphic with (Q,<). 
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An element (A, B) of corresponds to an element q of Q iS ADB = {g}; it 
has no corresponding element in Q iff AflB = 0 . If = {(A, B) G Q‘^ \ A(1 B yif 
0 }, then ( 5 '°, <'^ fl (S"^ x 5 '°)) is order-isomorphic with (Q, <). 

The construction of lattice (Q°, <'^) is known as the Dedekind-MacNeille com- 
pletion. (Q'^, <'^) is order-isomorphic with {Q, <) if {Q, <) is already a complete 
lattice. The cuts corresponding to elements of Q are called concrete elements; 
other cuts are called virtual elements. The Dedekind-MacNeille completion can 
be applied to the four inheritance partial orders. 

Definition 6 . 4 . (Dedekind-MacNeille completion) For * G {pt,pj,pp,lc}, 
<*) is the Dedekind-MacNeille completion of partial order {O/^, <,). 

If we apply the Dedekind-MacNeille completion to the partial order {O/^, <ic), 
we obtain the complete lattice (partially) shown in Figure 0 (c). Elements N§ 
through TVf are cuts: For example, N§ = {{Nq, Ni, N2, N^, Nq, . . 

{No}), = ({Ni,N3,iV4,N5,N6,...},{iVo,Ni}), N| = {{N,, . . .},{No,N„ 

N2,N4}), and = ({iVa, N4, N5, Ng, . . .}, (Nq, Ni, N2}). The black nodes in 
the completion of Figure 0 c) are concrete; the corresponding OLCs in Fig- 
ure 0b) can be obtained as explained in Theorem E 3 for example, for cut iVf, 
{Ni, N3, N4, N5, Ng, . . .} n {No, Nil) = {Nij. Node Nf is virtual; it does not 
correspond to an OLC: {N3, N4, Ng, Ng, . . .} fl {Nq, Ni, N2} = 0 . 

Theorem 6 . 5 . Consider the Dedekind-MacNeille completion (OJ, <J), with * G 
{pt,pj,pp, Ic}. Let S C 0/2,! be some set of OLCs; let S‘^ C 0 J be the set of 
corresponding elements in 0J. 

1 . Let Nqqjj be the lub of «S"^ in ( 0 °, <^). If is virtual, then S has no 

CCD, in ( 0 /si)<*); if Nqcd i® concrete, then the corresponding element 
Nqcd in is the CCD, of S in ( 0 /a:,<*)- 

2 . Let be the gib of in ( 0 J, <J). If is virtual, then S has no 

LCM, in ( 0 /si,<*); if N^cm i® concrete, then the corresponding element 
Nlcm in 0 /s^ is the LCM* of S in ( 0 /s,<*). 

Proof. It follows directly from Theorem lb., 1 1 and Definitions I 4 .'z!l and lb. 41 □ 

Theorem lb., 11 illustrates that the Dedekind-MacNeille completion can be used to 
construct a virtual CCD* or LCM* for a set of OLCs if and only if it has no 
concrete GCD*/LCM*. A virtual GCD*/LCM* cannot be drawn as an ordinary 
P/T-net. However, it can be expressed in terms of concrete OLCs. Consider again 
the virtual OLC N} = ({N3, N4, Ng, Ng, . . .}, {Ng, Ni, N2}) of Figure 0 c). Let 
A and B be the first and second element of Nf, respectively. Sets A and B are the 
sets of all OLCs corresponding to the concrete lower bounds and concrete upper 
bounds of Nf in the completion, respectively. Note that the maximal elements 
of A and the minimal elements of B correspond to MCMs of B and MCDs of 
A, respectively. Virtual OLC N^ provides a good characterization of the CCD 
of N3, N4, Ng, and Ng, and of the LCM of Ng, Ni, and N2. Algorithms for 
computing the Dedekind-MacNeille completion, see for example 0 , can be used 
to compute (virtual) CCDs and LCMs. 
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7 Applications and Conclnsion 

We have focused on the theoretical foundations for GCDs and LCMs of OLCs 
based on various notions of inheritance. The results are not only intriguing from a 
theoretical point of view. They have many applications. In component-based soft- 
ware development, workflow management, ERP reference models, and electronic- 
trade procedures, there is a constant need for identifying commonalities and 
differences. To conclude this paper, we discuss some of these applications. 

Object-oriented methods such as UML uni emphasize reuse and offer var- 
ious inheritance notions. However, there is no agreement on the meaning of 
inheritance when considering the dynamic behavior of objects. The inheritance 
relations in this paper focus on dynamics [B|. One application of the GCD and 
LGM notions in the context of UML is the following. UML allows for the specifi- 
cation of sequence and collaboration diagrams. Both types of diagrams are used 
to describe use cases and typically describe one of many possible scenarios. A 
scenarios is easily translated to an OLG. The GGD of the resulting set of OLGs 
provides a succinct OLG capturing the behavior all scenarios agree on. The LGM 
of the set captures all possible behaviors generated by any of the scenarios. 

Projection inheritance has been applied in the context of component-based 
software architectures 0. One of the central issues when dealing with compo- 
nents is the question whether a component “fits.” The framework of 0 focuses 
on the external behavior of a component. The question whether a component 
“fits” is easily expressed using inheritance. The application potential of the GGD 
and the LGM of a set of components is promising. The GGD can be used to de- 
duce commonalities for a given set of similar components. The LGM can be used 
to construct the smallest component that can replace any of the components. 

From a conceptual viewpoint, a workflow procedure is very similar to an 
OLG. Workflow management systems are driven by models that describe the 
life cycle of a case (e.g., insurance claim, order, or tax declaration) rnan . we 
applied the inheritance notions in the context of workflow change 0. Using a 
number of construction rules, we can construct subclasses of a given workflow 
(i.e., correctness-by-construction). These rules allow for the automatic migra- 
tion of cases from sub- to superclass and vice versa. A problem of workflow 
management systems supporting multiple variants of a workflow (e.g., InGon- 
cert (TIBGO) and Ensemble (Filenet)) is the lack of aggregated management 
information. Using the techniques of this paper, we can calculate the GGD and 
LGM of a set of variants. These variants may be the result of ad-hoc or evolu- 
tionary workflow changes. By migrating the status of every case residing in any 
of the variants to the GGD and/or LGM, one obtains aggregated management 
information, i.e., one diagram containing condensed information on the work in 
progress. 

The applicability of the techniques presented in this paper is not limited to 
workflow within one organization. Especially interorganizational workflows |3] 
and electronic-trade procedures uni can benefit from notions such as the GGD 
and the LGM. In j2j, the notion of a view is introduced. A view is the workflow 
as seen by one of the parties involved. The GGD of all views is the contract all 
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parties should agree upon. The LCM is the actual workflow being executed. The 
interested reader is referred to a technical report for more details 0- 

Enterprise Resource Planning (ERP) systems such as SAP, Baan, Peoplesoft, 
and JD Edwards use reference models to describe and enact “best practices,” 
i.e., proven business process models are used to drive these systems. Whenever 
an ERP system is installed, a considerable amount of customization is needed 
to adapt either the business processes inside the enterprise to the ERP system 
or vice versa. To determine the amount of customization, the reference model 
needs to be compared to the desired or actual business process. The GCD can 
be used to determine the commonalities between both processes and is a good 
predictor for the customization efforts required. 

Another application of GCDs and LGMs is the unification of procedures in 
Europe. Gonsider for example labor mobility in Europe; a harmonization of na- 
tional procedures with respect to health insurance, pensions, and so on is needed 
so that people can move from one EU country to another without bureaucratic 
confusion. Another example is the unification of financial processes resulting 
from the introduction of the Euro. 

The applications briefly introduced in this final section show the relevance 
of the questions tackled in this paper. It remains for future work to study these 
applications in more detail. 



Acknowledgment. We thank the anonymous referees for their useful com- 
ments. 



References 

1. W.M.P. van der Aalst. Verification of Workflow Nets. In P. Azema and G. Balbo, 
editors, Application and Theory of Petri Nets 1997, Lecture Notes in Computer 
Science 1248, pages 407-426. Springer, Berlin, Germany, 1997. 

2. W.M.P. van der Aalst. The Application of Petri Nets to Workflow Management. 
The Journal of Circuits, Systems and Computers, 8(l):21-66, 1998. 

3. W.M.P. van der Aalst. Inheritance of Interorganizational Workflows: How to Agree 
to Disagree Without Loosing Control? BETA Working Paper Series, WP 46, 
Eindhoven University of Technology, The Netherlands, 2000. 

4. W.M.P. van der Aalst and T. Basten. Inheritance of Workflows: An approach to 
tackling problems related to change. To appear in Theoretical Computer Science. 

5. W.M.P. van der Aalst, K.M. van Hee, and R.A. van der Toorn. Component-Based 
Software Architectures: A Framework Based on Inheritance of Behavior. To appear 
in Science of Computer Programming. 

6. J.C.M. Baeten and W.P. Weijland. Process Algebra. Cambridge Tracts in Theoret- 
ical Computer Science 18. Cambridge University Press, Cambridge, UK, 1990. 

7. T. Basten. In Terms of Nets: System Design with Petri Nets and Process Algebra. 
PhD thesis, Eindhoven University of Technology, The Netherlands, 1998. 

8. T. Basten and W.M.P. van der Aalst. Inheritance of Behavior. Journal of Logic 
and Algebraic Programming, 47(2):47-145, 2001. 



52 



W.M.P. van der Aalst and T. Basten 



9. K. Bertet, M. Morvan, and L. Nourine. Lazy MacNeille Completion of a Partial 
Order. In G. Mineau and A. Fall, editors, Proc. of the 2nd Int. Symp. on Knowledge 
Retrieval, Use and Storage for Efficiency, KRUSE ’97, pages 72-81, 1997 

10. G. Booch, J. Rumbaugh, and I. Jacobson. The Unified Modeling Language User 
Guide. Addison- Wesley, Reading, MA, 1998. 

11. B.A. Davey and H.A. Priestley. Introduction to Lattices and Order. Gambridge 
University Press, Gambridge, UK, 1990. 

12. J. Desel and J. Esparza. Eree Choice Petri Nets. Cambridge Tracts in Theoretical 
Computer Science 40. Cambridge University Press, Cambridge, UK, 1995. 

13. R.J. van Glabbeek and W.P. Weijland. Branching Time and Abstraction in Bisim- 
ulation Semantics. Journal of the ACM, 43(3):555-600, 1996. 

14. S. Jablonski and C. Bussler. Workflow Management: Modeling Concepts, Archi- 
tecture, and Implementation. Int. Thomson Computer Press, London, UK, 1996. 

15. G. Keller and T. Teufel. SAP R/3 Process Oriented Implementation. Addison- 
Wesley, Reading, MA, 1998. 

16. R.M. Lee. Distributed Electronic Trade Scenarios: Representation, Design, Proto- 
typing. International Journal of Electronic Commerce, 3(2):105-120, 1999. 

17. H.M. MacNeille. Partially ordered sets. Transactions of the American Mathemat- 
ical Society, 42:416-460, 1937. 

18. T. Murata. Petri Nets: Properties, Analysis and Applications. Proceedings of the 
IEEE, 77(4):541-580, 1989. 

19. W. Reisig and G. Rozenberg, editors. Lectures on Petri Nets I: Basic Models, 
Lecture Notes in Computer Science 1491. Springer, Berlin, Germany, 1998. 

20. H.M.W. Verbeek and W.M.P. van der Aalst. Woflan 2.0: A Petri-net-based Work- 
flow Diagnosis Tool. In M. Nielsen and D. Simpson, editors. Application and The- 
ory of Petri Nets 2000, Lecture Notes in Computer Science 1825, pages 475-484. 
Springer, Berlin, Germany, 2000. http://www.tm.tue.nl/it/wofian. 




Timed Petri Nets and BQOs 



Parosh Aziz Abdulla and Aletta Nylen 



Department of Computer Systems, Uppsala University 
P.O. Box 337, SE-751 05 Uppsala, Sweden 
{parosh, alettaj@docs.uu.se 



Abstract. We consider (unbounded) Timed Petri Nets (TPNs) where 
each token is equipped with a real-valued clock representing the “age” 
of the token. Each arc in the net is provided with a subinterval of the 
natural numbers, restricting the ages of the tokens travelling the arc. 
We apply a methodology developed in [AINOOI . based on the theory of 
better quasi orderings (BQOs), to derive an efficient constraint system 
for automatic verification of safety properties for TPNs. We have imple- 
mented a prototype based on our method and applied it for verification 
of a parametrized version of Fischer’s protocol. 



1 Introduction 



One of the most widely used techniques for automatic verification of programs 
is that of model checking l(JEb8(ilOS8!^l . A major current challenge is to ex- 
tend the applicability of model checking to the context of infinite-state systems. 
A program may be infinite-state since it operates on unbounded data structu- 
res, e.g. timed automata mm - hybrid a utomata |Hen95j . data-independent 



system s |,TP93IWol86| . relational automata |Cer94j . counter machines 
lAC98j . pushdown processes [IBS95j . lossy channel systems completely 

specified protocols etc. A program may also be infinite-state since it has 

an infinite control part, e.g. Petri nets IEsp9felJM9bl , and parameterized systems 
HSn2E3MEmiIl2|, in which the topology of the system is parameterized 
by the number of processes inside the system. Petri nets are one of the most 
widely used models for analysis and verification of concurrent systems. Further- 
more, several classes of Timed Petri Nets (TPNs) have been introduced in the 
literature for studying the behaviours of real-time systems; e.g. m.Ps,»)IMF7bl 
lBD91KflVilVfP91| (also see [fjow9ti| for a survey). 

In this paper we consider verifying coverability properties of TPNs. In our 
model, each token in a TPN has an “age” which is represented by a real number. 
A marking of the net is therefore a mapping which assigns a bag of real numbers 
to each place. The bag represents the numbers and ages of the tokens in the 
corresponding place. Each arc of the net is equipped with an interval defined by 
two natural numbers. A transition may fire only if its input places have tokens 
with ages satisfying the intervals of the corresponding arcs. Tokens generated 
by transitions will have ages in the intervals of the output arcs. Furthermore, 
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we assume a lazy (non-urgent) behaviour of the TPN. This means that transiti- 
ons may be delayed, even if that implies that some transitions become disabled 
because their input tokens become too old. Observe that TPNs cannot be mo- 
delled within the context of real-time automata EM, as the latter operate on 
a finite number of clocks. In fact TPNs are infinite in two dimensions; they have 
an unbounded number of tokens and each token has a real-valued clock. 

An instance of the coverability problem consists of an initial marking, and a 
upward closed set of bad markings. Intuitively, we do not want the bad markings 
to occur during the execution of the TPN, and therefore we are interested in sho- 
wing that no bad marking is reachable from the initial marking. Using standard 
techniques IVW&6ICW53I . we can reduce several classes of safety properties for 
TPNs into the coverability problem. 

To solve the co verability pro blem, we apply an instance of a general algo- 
rithm described in jAC.TYK96alA,T98aj for reachability analysis of infinite-state 
systems. We use a symbolic representation, called existential zones for represen- 
ting (infinite) upward closed sets of markings. We perform a fixpoint iteration, 
in which we generate existential zones characterizing the set of markings from 
which a bad marking is reachable within j steps, for increasing values of j. 

A main issue when using such an algorithm is to show tha t the fixpoint 
iteration always terminates. Applying the method of jAC.TYKDfialA.IhSaj to exi- 
stential zones, we can show that the termination of our algorithm is guaranteed 
if we show that existential zones are well quasi- ordered, i.e., for each infinite 
sequence of zones Zq, Z\, Z 2 , ■ ■ ■ , there are i and j with i < j where Zj charac- 
terizes a set of markings which is a subset of the set of markings characterized 
by Zi. To show the well quasi-ordering of existential zones, we follow the me- 
thodology of EHoni, and show that existential zones in fact satisfy a stronger 
property than well quasi-ordering, namely that they are better quasi- ordered. It 
is worth noting that the well quasi-orderin g of existential zones is not possible to 
show with the framework of |AC.TYK96a,rOM^ . Thus, model checking of TPNs 
provides a strong evidence that better quasi-orderings are more suitable to use 
in the context of symbolic model checking than well quasi-orderings. 

Based on our algorithm, we have implemented a prototype for automatic 
verification of safety properties for TPNs. We have used the tool for verification 
of a parameterized version of Fischer’s protocol with encouraging results. 



Related Work. Existential zones are variants of another symbolic representa- 
tion namely that of zones. Zones are used in the design of existing tools for veri- 
fication of real-time systems, such as KRONOS IVovh7l and UPPAAL lbPVh7l . 
However, zones characterize finite sets of clocks, and therefore cannot be used 
to analyze TPNs. 

In jA,T98bj we consider a model close to TPNs, namely timed networks. A 
timed network consists of an arbitrary number of timed processes, each with 
a single real- valued clock. However, in we use existential regions for 

verification of timed networks. Existential regions are related to regions in the 
same manner as existential zones are related to zones. In the same manner 
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as regions are less efficient than zones, existential regions are far less efficient 
than existential zones and explode even on very small applications. In fact, an 
(existential) zone is the union of a (often large) number of (existential) regions, 
and therefore (existential) zones offer a much more compact representation of 
the state space. 

Most earlier work on studying decidability issues for TPNs, e.g. 
[IRP85IBD91KIMMP9HR,GdFE99] either report undecidability results or deci- 
dability under the assumption that the TPN is bounded. A work closely related 
to ours is [dPEP AOO] . The authors consider the coverability problem for a class 
of TPNs similar to our model. The main difference is that in , it is 

assumed that the ages of the tokens are natural numbers. Furthermore, it is not 
evident how efficient the constraint system is in practical applications. 

In this paper, we consider only lazy TPNs. In fact it can be shown rnxTT] 
that very simple classes of TPNs with urgent behaviours can simulate two- 
counter machines, and hence almost all verification problems are undecidable 
for them. This is not a problem when checking coverability since the set of tran- 
sitions of an urgent TPN is a subset of the set of transitions of the corresponding 
lazy TPN. This means that if a set of markings is not reachable in the lazy TPN, 
then it is certainly not reachable in the urgent TPN. 



Outline. In the next section we introduce timed Petri nets. In Section we 
give an overview of our reachability algorithm. A constraint system which we 
call existential zones is introduced in Section 2] and in the following section we 
define an entailment relation on existential zones. In Section El we show how Pre 
is computed and in Section Q we prove that the reachability algorithm termi- 
nates. Section 0 introduces existential DDDs, the constraint system used in our 
experimental work which is presented in Section 9. 



2 Timed Petri Nets 

We consider Timed Petri Nets (TPNs) where each token is equipped with a 
real-valued clock representing the “age” of the token. The firing conditions of a 
transition include the usual ones for Petri nets. Furthermore, each arc between 
a place and a transition is labeled with a subinterval of the natural numbers. 
When a transition is fired, the tokens removed from the input places of the 
transition and the tokens added to the output places should have ages lying in 
the intervals of the corresponding arcs. We let Af, Z, and TZ-^ denote the sets 
of natural numbers, integers, and nonnegative reals respectively. For a set A, we 
define the set Bags{A) of bags over A to be the set of mappings from A to Af. 
Sometimes we write bags as lists, so e.g. (2.4, 5.1, 5.1, 2.4, 2.4) represents a bag 
B over TZ-^ where 5(2.4) = 3, 5(5.1) = 2 and B{x) = 0 for a; yf 2.4, 5.1. We 
may also write 5 as (2.4^, 5.1^). For bags 5i and B 2 over a set A, we say that 
< B 2 if 5i(a) < 52 (a) for each a G A. We define 5i -|- B 2 to be the bag 5 
where 5(a) = 5i(a) -I- 52 (a), and (assuming 5i < B 2 ) we define B 2 — 5i to be 
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the bag B where B{a) = i? 2 (a) — Bi{a), for each a G A. We use 0 to denote the 
empty bag, i.e., 0(a) = 0 for each a € A. 

We use a set Intrv of intervals of the form [a : b], where a G Af and b G 
Af U {oo}. For X G TZ-°, we write x G [a : &] to denote that a < x < b. 

A Timed Petri Net (TPN) is a tuple N = (P, T, In, Out) where P is a finite 
set of places, T is a finite set of transitions and In, Out : T x P i-G- Bags (Intrv). 
If In(t,p)(X) yf 0 (Out(t,p)(X) yf 0), for some interval X, we say that p is an 
input (output) place of t. 

A marking M of fV is a finite bag over P x The marking M de- 

fines numbers and ages of the tokens in each place in the net. That is, 
M(p,x) defines the number of tokens with age x in place p. For example, if 
M = ((pi, 2.5) , (pi, 1.3) , (p 2 , 4.7) , (p 2 , 4.7)), then, in the marking M, there are 
two tokens with ages 2.5 and 1.3 in pi, and two tokens each with age 4.7 in the 
place p 2 . Abusing notation, we define, for each place p, a bag M(p) over TZ-°, 
where M (p) (x) = M (p, x) . Notice that untimed Petri nets are a special case in 
our model where all intervals are of the form [0 : oo]. 

We define two types of transition relations on markings. A timed transition 
increases the age of all tokens by the same real number. Formally Mi — M 2 
if Ml is of the form ((pi,xi),... ,(Pn,x„)), and there is (5 G 77.-° such that 
M2 = ((pi,Xi -I- d) , . . . , (Pn,Xn + d)). 



We define the set of discrete transitions — >d as IJteT — where — >t 
represents the effect of firing the transition t. More precisely, we define Mi — >t 
M 2 if, for each place p with In(t,p) = (Xi , . . . ,1^) and Out(t,p) = (J\, . . . , f7„), 
there are bags B\ = (xi, . . . ,Xm) and B 2 = (yi, ■ ■ ■ ,yn) over 77-°, such that 
the following holds. 



- Bi < Mi(p). 

— Xi G Xi, for i : 1 < i < m. 

— yi G Ji, for z : 1 < z < n. 

- M2(p) = Mi(p) — 77i -I- P 2 . 

Intuitively, a transition t may be fired only if for each incoming arc to the 
transition, there is a token with the “right” age in the corresponding input 
place. This token will be removed from the input place when the transition is 
fired. Furthermore, for each outgoing arc, a token with an age in the interval will 
be added to the output place. We define the relation — >• to be — >t U — >d, 
and define — > to be the reflexive transitive closure of — >. For markings Mi 
and M2, we say that Mi is reachable from M2 if Mi — M2. For a marking M 
and a set of markings M, we write M — M to denote that there is a M' G M 
such that M — ^ M' . 

For set M of markings we let Pre(M) denote the set 
{M; 3M' G M. M — >■ M'}, i.e., Pre(M) is the set of markings from which we 
can reach a marking in M through the application of a single (timed or discrete) 
transition. 

A set M of markings is said to be upward closed if it is the case that M G M 
and M < M' imply M' G M. 
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Coverability. The coverahility problem is defined as follows. 

Instance A TPN N, a marking Minit of N, and an upward closed set Mfin 
of markings of N. 

Question 

Using standard techniques fVW86IGW93j . we can show that checking several 
classes of safety properties for TPNs can be reduced to the coverability problem. 




Fig. 1. A small timed Petri net. 



Example. Figure G] shows an example of a TPN where P = {A,B,C} 
and T = {a,b,c}. For instance, In{a) = ((B, [5 : 7])) and Out{b) = 
{{B, [0 : 0]) , (C, [0 : 0])). The initial marking of this net is the marking Minu = 
((A, 0.0)) with only one token with age 0 in place A. 



Remark 1. For simplicity of presentation we use only non-strict inequalities. 
All the results can be generalized in a straightforward manner to include the 
more general case, where we also allow strict inequalities. 



Remark 2. Notice that, in our definition of the operational behaviour of TPNs, 
we assume a lazy (non-urgent) behaviour of the net. This means that we may 
choose to “let time pass” instead of firing enabled transitions, even if that makes 
transitions disabled due to some of the needed tokens becoming “too old” . Tokens 
that are too old to participate in firing transitions are usually called dead tokens. 
In an urgent TPN, timed transitions that cause dead tokens are not allowed. 
This means that the set of transitions of an urgent TPN is a subset of the set 
of transitions of the corresponding lazy TPN. Therefore, if a set of markings is 
not reachable in the lazy TPN it is not reachable in the urgent TPN either. In 
other words safety properties that hold for the lazy TPN also hold for the urgent 
TPN. 
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3 Overview of the Verification Algorithm 

We give an overview of our algorithm for solving the coverability problem. The 
main ingredients of the algorithm are 

— an instance of a symbolic algorithm described in |AC.TYK96b| for checking 
reachability properties of infinite-state systems 

— an application of a methodology based on the theory of better quasi orderings 
described in lAlNOUl for designing efficient data structures in the implemen- 
tation of the above symbolic algorithm. 

We use a symbolic representation of markings called existential zones (SectionEJ, 
where each zone Z characterizes an upward closed set of markings fZj. The 
coverability algorithm operates on finite sets of zones. Intuitively, a finite set Z 
of zones represents the union of the interpretations of its members, i.e., |Z] = 
UzGzI^l- Given an instance of the coverability problem (Section EJ, defined by 
Minit and a zone Zq such that |Zo] = My;„, the symbolic algorithm consists of 
performing a fixpoint iteration, generating a sequence Zq, Zi, Z 2 , . . . , where each 
Zi is a finite set of existential zones. The set Zq is defined to be the singleton 
{Zq}. We define Z^+i to be Zi U Pre{Zi), where |Pre(Zi)] = Pre{\Zi\). In other 
words, Pre{Zi) characterizes exactly the markings from which we can reach a 
marking in |Zi] through the application of a single step of the transition relation. 
In Sectionl^ we show that the set Pre{Zi) exists and is computable. Observe that 
Zi characterizes the set of markings from which we can reach in i or fewer 
steps. We also notice that the elements of the sequence denote larger and larger 
sets of markings, i.e., |Zo] C |Zi] C [^ 2 ] C • • • . This implies that the procedure 
of generating new elements of the sequence can be terminated when we reach a 
point j, where |Z_,] A |Zj_|_i]. In such a case we have reached the fixpoint, and Zj 
characterizes the set of all markings from which is reachable. Consequently, 
the reachability of from Minu is equivalent to whether Minu S |Zj]. In 
SectionO (LemmaOJ, we show that the relation |Zj_|_i] C \Zj\ is decidable, and 
in Section El (Lemma GJ, we show that the relation Minn G |Zj] is decidable. 

is to show that the symbolic algorithm always terminates. In 
'e show that, for any constraint system, the termination of the 
algorithm is guaranteed if the constraint system satisfies a certain property, 
namely that the constraint system is well quasi- ordered. In Section 0 we show 
well quasi-ordering of existential zones. We do that by applying the methodology 
developed in {MM- More precisely, we show that existential zones satisfy a 
stronger property than well quasi-ordering; namely that they are better quasi- 
ordered. Better quasi-ordering of existential zones follows from the fact that they 
can be derived starting from finite domains and then then repeatedly applying 
the operations of building sets, bags, strings, and taking unions. 

4 Existential Zones 

In this section we introduce a constraint system called existential zones. Intui- 
tively, an existential zone characterizes a upward closed set of markings. An 



One key issue 
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existential zone Z represents minimal conditions on markings. More precisely, 
Z specifies a minimum number of tokens which should be in the marking, and 
then imposes certain conditions on these tokens. The conditions are formulated 
as specifications of the places in which the tokens should reside and restrictions 
on their ages. The age restrictions are stated as bounds on values of clocks, and 
bounds on differences between values of pairs of clocks. A marking M which sa- 
tisfies Z should have at least the number of tokens specified by Z. Furthermore, 
the places and ages of these tokens should satisfy the conditions imposed by Z. 
In such a case, M may have any number of additional tokens (whose places and 
ages are irrelevant for the satisfiability of the zone by the marking). 

For a natural number n, we let n* denote the set {0, 1,2,... , n}, and let n~^ 
denote the set {1,2,... , n}. We assume a TPN (P, T, In, Out). 

An existential zone Z is a triple ^m, P, , where m is an natural number, 
P (called a placing) is a mapping P : — >■ P, and D (called a difference 

bound matrix) is a mapping D : m* x m* — >■ AfU joo}. Intuitively, m defines 
the minimum number of tokens in the marking, P maps each token to a place, 
and D defines restrictions on the ages of the tokens in forms of bounds on clock 
values and on differences between clock values. Difference bound matrices, or 
DBMs, are widely used in verification of timed automata, e.g., |Dil89ILPY95j . 



x2 




Fig. 2. Example of restrictions on ages of tokens. 



Consider the example from Section El Assume that we are interested in 
checking the coverability of markings with at least two tokens, one in place 
B and one in place C, such that the ages of the tokens are at most 8 and the 
token in B is at most 4 time units older than the one in C . The markings satis- 
fying these constraints can be described by the existential zone Z = (2,P,D) 
where P(l) = B, P{2) = C and D is described by the following table where eg. 
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D{0,i) = 0 and D{2,1) = 4. 





0 1 2 


0 


-00 


1 


00 

1 

00 


2 


8 4 - 



Figure O shows an illustration of the age restrictions of Z. 

Consider a marking M = ((pi, xi) , . . . , (p„, x„)) and an injection h : — )> 

n'*" (called a witness). We say that M satisfies Z with respect to h, written 
M, h\= Z, ii the following conditions are satisfied. 

— P{i) = Ph(i)i for each i : 1 < i < m. 

- Xh(j) - Xh(i) < D{j,i), for each i,j £ m+ with i ^ j. 

~ Xh(i) < £*(*,0) and —D{0,i) < Xh(i), for each i £ m’*'. 

We say that M satisfies Z, written M |= Z, if M, h \= Z iov some h. Notice 
that if M satisfies Z then m < n (since h is an injection), i.e., M has at least 
the number of tokens required by Z, and furthermore, the places and ages of 
the tokens satisfy the requirements of Z. We define |Z] = {M; M ^ Z}. Notice 
that the value of D{i,i) is irrelevant for the satisfiability of Z. 



Membership. From the above definitions the following lemma is straightfor- 
ward. 

Lemma 1. For an existential zone Z and a markinq M , it is decidable whether 

M\^Z. 



Upward Closedness. We observe that Z defines a number of minimal require- 
ments on M, in the sense that M should contain at least m tokens whose places 
and ages are constrained by the functions P and D respectively. This means the 
set |Z] is upward closed since M \= Z and M < M' implies M' \= Z. 



Normal and Consistent Existential Zones. An existential zone Z = 
irn,P,D) is said to be normal if for each i,j,k £ m*, we have D{j,i) < 
D{j, k) + D{k,i). It is easy to show the following. 

Lemma 2. For each existential zone Z there is a unique (up to renaming of the 
index set) normal existential zone, written Z, such that |Z] = |Z]. 

This means that we can assume without loss of generality that all existential 
zones we work with are normal. 

An existential zone Z is said to be consistent if |Z] 0. 
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5 Entailment 

Given zones Z\ and Z2, we say that is entailed by Z2, written Zi ^ Z2, if 
I^ 2 lC|Zi], 

We reduce checking entailment between existential zones into validity of for- 
mulas in a logic which we here call Difference Bound Logic (DBL). The atomic 
formulas are either of the form u < c or of the form v — u < c, where v and u 
are variables interpreted over TZ-^ and c G Af. Furthermore the set of formulas 
is closed under the propositional connectives. It is easy to see that validity of 
DBL-formulas is NP-complete. 

Suppose that we are given two existential zones Z\ = (rni,Pi, Di) and Z2 = 
{m2, P2, D2) ■ We translate the relation Zi ^ Z2 into validity of a DBL-formula 
F as follows. We define the set of free variables in F to be {ug i G TO2~''}. Let 
H be the set of injections from TO 1 + to m2~^ such that ft, G iJ if and only if 
Pi{i) = p2{h{i)) for each i G mi + . We define F = {Fi where 

F\ = Fii A F\2 a Fi 3, and F2 = F21 A F22 A F23, and 

- Fii = Aijem2+.iAi ~F< F>2{j,i)). 

- Pl2 = AiSm2+ K ^ ^2(i,0)). 

- ^13 = Aiem2+ (-^ 2 ( 0 , Z) < Vi). 

- F21 = A*jemi + 05^i Ko) - ’^Hi) < Dffh{j), ft(i))). 

- F 22 = Aiemi+ ^ A(^(z).0))- 

- ^23 = AiGmi+ (--Dl(0,ft(z)) < U^P)). 

This gives the following. 

Lemma 3 . The entailment relation is decidable for existential zones. 

Notice that in contrast to zones for which entailment can be checked in polyno- 
mial time, the entailment relation for existential zones can be checked only in 
nondeterministic polynomial time (as we have to consider exponentially many 
witnesses). This is the price we pay for working with an unbounded number 
of clocks. On the other hand, when using zones, the size of the problem grows 
exponentially with the number of clocks inside the system. 



6 Computing Predecessors 

We define a function Pre such that for a zone Z, the value of Pre{Z) is a finite 
set {Zi , . . . , Zm} of zones. The set Pre{Z) characterizes the set of markings from 
which we can reach a marking satisfying Z through the performance of a single 
discrete or timed transition. In other words PrefZ] = | 2 'i]U- • -UlZm]. We define 
Pre = PrcD^ Pres, where Preo corresponds to firing transitions backwards and 
Pres corresponds to running time backwards. 

We define Preo = ^teTPvet, where Prct characterizes the effect of running 
the transition t backwards. To define Prct, we need the following operations 
on zones. In the rest of the section we assume a normal existential zone Z = 
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(m, P, Z?), and a timed Petri net N = (P, T, In, Out). From Lemma 13 we know 
that assuming Z to be normal does not affect the generality of our results. 

For an interval I — [a : b], and i G m~^, we define the conjunction Z (g) {X, i) 
of Z with I at i to be the existential zone Z' = (m, P, P'), where 

— £>'(*, 0) = min(5, £)(*, 0)). 

— £1'(0, i) = min(— a, Z?(0, i)). 

— D'{k,j) = D{k,j), for each j,k G with k ^ j, {k,j) ^ (*,0), and 
{k,j) yf (0,Z). 

Intuitively, the operation adds an additional constraint on the age of token i, 
namely that its age should be in the interval X. For example, for a zone 
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Z = 



2,P. 
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OO 

1 

OO 
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the conjunction Z ® i\l : 6], 1) is the zone 
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while the conjunction Z ® ([0 : 10], 1) = Z 

For a place p and an interval X = [a : 6], we define the addition Z © {p,X) of 
(p,X) to Z to be the existential zone Z' = (m + 1, P', D'), and 

— D'(m +1,0) = b, and P'(0, m + 1) = —a. 

— D'(m + 1, j) = 00 , and D'{j, m + 1) = oo, for each j G . 

— P'{m + 1) = p. 

— D'{k,j) = D{k,j), for each j, k G m*, and P'(j) = P(j), for each j G m~^ . 

Intuitively, the new existential zone Z' requires one additional token to be present 
in place p such that the age of the token is in the interval X. For example, for a 
zone 



Z = 



the addition Z © {A, [1 : 2]) is the zone 
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For i G rri^ , we define the abstraction Z\i of i in Z to be the zone Z' = 
(m — 1, P', D'), where 

— D'{j, k) = D{j, k), for each j, k £ {i — 1)*. 

— D'{j, k) = D{j, fc + 1) and D'{k,j) = D{k + l,j), for each j £ {i — 1)* and 
k £ {i, . . . ,m — 1}. 

— D'{j, k) = D{j + l,k + 1), for each j,k £ {i, . . . ,m— 1}. 

— P'U) = P{j), for each j £ («-!)*, and P'{j) = P{j + 1), for j £ 
{i,... ,m- 1}. 

Intuitively, the operation removes all constraints related to token i from Z, so 
the number of required tokens is reduced by 1 and the restrictions related to the 
age and place of the token disappear. For example, for a zone 



( 
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the abstraction Z\2 is the zone 



( 


0 1 2 \ 


P{1) = B 0 


-0-1 


’ P(2) = yl’ 1 


8-7 


V 2 


2 2-/ 



Notice that the existential zones we obtain as a result of performing the three 
operations above need not be normal. 

Now, we are ready to define Pre. 

Lemma 4. Consider a TPN N = {P^T,In,Out), a transition t £ T, and 
an existential zone Z = (m,P,D). Let In(t) = ((pi,Ii),... ,{pk,Ik)), and 
Out{t) = ((<7i, J7i) , . . . Then Pret{Z) is the smallest set containing 

each existential zone Z' such that there is a partial injection h : irP — > £+ 
with a domain {ii,... ,in}, and an existential zone Z\ satisfying the following 
conditions. 

- P(P) = dh(ij), for each j £ n+ 

- Z0 (jLh(ii), *i) 0 ■ ■■ <S> in) is consistent. 

- Zi = Z\ii\-- ■ \i„. 

- Z' = Zi®{pi,Ii)®---®{pk,Tk)- 



Lemma 5. For an existential zone Z = (rn,P,D'j, the set Pres{Z) is the exi- 
stential zone Z' = {m,P,D'^, where D'{0,i) = 0 and D'{j,i) = D{j,i) if j p 0, 
for each i,j £ to*, with i j. 

From Lemma0and Lemma El we get the following. 

Lemma 6. For an existential zone Z , the set Pre{Z) is computable. 
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7 Termination 

In this section we show some results from the theories of well quasi-orderings 
and better quasi-orderings and explain their relation to termination of the re- 
achability algorithm presented in Section 01 A quasi- ordering or a qo for short, 
is a pair (A, A) where ^ is a reflexive and transitive (binary) relation on a set 
A. We use a\ = 02 to denote that oi ^ 02 and 02 ^ a\. An infinite sequence 
oi, 02 , 03 , . . . of elements of A is called a had sequence iff Vi, j : i < j ^ Gi aj. 
A qo (A, A) is a well quasi- ordering or a wqo for short, if there is no bad sequence 
of elements of A. Given a qo (A, A), we define a qo (A*,^*) on the set A* of 
finite strings over A such that xi • • • • • Xm 'A* Vi * ■ ■ ■ * Vn if and only if there is 
a strictly monotone injection h : { 1 , . . . ,m} { 1 , ■ • ■ ,u} where Xi < yh{i) for 

i : 1 < i < 771. A qo (A^, on the set A^ of bags over A can be defined in 
a similar manner. We define the relation C on the set V{A) of subsets of A, so 
that A i □ A 2 if an d only if V& G A 2 : 3a G Ai ■. a <b. 

In |AC,TYK96am8^ we showed that the reachability algorithm is guaran- 
teed to terminate if the constraint system is well quasi-ordered (wqo). To prove 
well quasi-ordering of existential zones we apply a methodology presented in 
| IANnn| . We use a tool which is more powerful than wqo, namely that of better 
quasi- ordering (bqo). In the following theorem we state some properties of bqos. 



Theorem 1. 

1. Each bqo is wqo. 

2. If A is finite, then (A,=) is bqo. 

3. If {A,<) is bqo, then (A*,^*) is bqo. 

4 . If {A,<) is bqo, then (A®,Y^) is bqo. 

5. If {A,<) is bqo, then (P(A),C) is bqo. 

A direct consequence of the last property is that bqo is closed under the operation 
of taking unions. Since bqo is a stronger relation than wqo it is sufficient to 
prove bqo of zones under entailment, to prove termination of the reachability 
algorithm. 

In order to prove that existential zones are bqo we recall a constraint sy- 
stem related to existential zones, namely that of existential regions introduced 
in !A,T98bj . An existential region is a list of bags {Bq, B\,. . . ,Bn, Bn+i) where 
n > 0 and Bi is a bag over P x M . In a similar manner to existential zones, 
an existential region R defines a set of conditions which should be satisfied by a 
configuration 7 in order for 7 to satisfy R. Intuitively Bq represents tokens with 
ages which have fractional parts equal to 0. The bags i?i, . . . ,Bn represent to- 
kens whose ages have increasing fractional parts where ages of tokens belonging 
to the same bag have the same fractional part and ages of tokens belonging to 
Bi have a fractional part that is strictly less than the fractional part of the ages 
of those in Finally the bag i?„+i represents tokens with ages greater than 

the maximum natural number occuring in the enabling conditions of a given 
TPN (regardless of their fractional parts). 
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Lemma 7. Existential zones are bqo (and hence wqo). 

1. Existential regions are built starting from finite domains, and repeatedly buil- 
ding finite strings, bags, and sets. Erom the properties mentioned above, it 
follows that existential regions are bqo. 

2. Eor each existential zone Z , there is a finite set Regions of existential regions 
such that Z = Regions. Since bqo is closed under union, it follows that 
existential zones are bqo. 



8 Existential CDDs and DDDs 

CDDs |LP W Y 9T1| and DDDs |MLAH9?1] are constraint systems invented recently 
to give representations of real-time systems which are more compact than zo- 
nes. In a similar manner to existential zones, we modify the definitions of CDDs 
(DDDs) into existential CDDs (DDDs), in order to make them suitable for verify- 
ing systems with an unbounded number of clocks. Below we give the definition of 
existential DDDs. The definition of existential CDDs can be stated in a similar 
manner. 

An existential DDD is a tuple Y = (m, P,V, e), where m and P are de- 
fined as for existential zones (Section^, and (V,E) is a finite directed acy- 
clic graph where V is the set of vertices and E is the set of edges. We as- 
sume that V contains two special elements v° and v^. The outdegrees of v'’ 
and are zero, while the outdegrees of the rest of vertices are two. Each 
vertex v G V — {v°,v^} has the following attributes: pos{v), neg{v) G to*, 
op(v) G {<,<}, const(v) G Z, and high (v), low (v) G V. The set E contains 
the edges (v, low{v)) and (v, high{v)), where v G V — -[v°, }. In a similar man- 

ner to BDDs, the internal nodes of Y correspond to the if-then-else operator 
^ (j)i,4>2, defined as (0A(/)i) V (-•(/) A ^ 2 )- Intuitively, the attributes of the node 

represent the DBL-formula 4> = Xpo^iy) — x„eg(v) op(v) constfsr), and highfsr) and 
low(v) are children of v corresponding to and </>2 respectively. The special 
vertices v° and P correspond to false and true. 

Consider an existential DDD Y = (to, P, V, e), a vertex v S V, a marking 
^ = ((P 17 C 1 ),... ,{pk,Ck)), and an injection h : to+ — >■ fc+. We say that M 
satisfies Y at v with respect to h, written M, h ^ (Y, v), if P{i) = Ph(i), for each 
i G TO+, and either 

— V = v^; or 

Xh(pos(v)) \ \ 1 = (Y, high{v)) 

— ^ const (v) — ) 

Xh{neg(v)) j j \ M , h \= {Y, low{v)) 

where op(v). 

In a similar manner to existential zones, we can modify the operations defined 
in jM I A H h?)] to compute predecessors of existential DDDs with respect to tran- 
sitions of a TPN. To check entailment we must, as we did for existential zones, 
take into consideration all variable permutations. 
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For each existential DDD V there is a finite set Z of existential zones such that 
|Fl = |Z]. Intuitively this means that an existential DDD can replace several 
existential zones, and hence existential DDry give a more c0ipact (efficliht) 
representation of sets of states. Note that each existential DDD is a union of 
existential zones. This together with Lemma 7 and Theorem 1 (Property 5) 
gives us the following result. 

Lemma 8. Existential DDEs are bqo (and hence also wqo). 

9 Experimental Results 

We have implemented a prototype to perform reachability analysis I br TPlN ls. 
The constraints are represented by existential DDDs. The implementation is 
based on a DDD package developed at Technical University of Denmark [ML98] . 
We used the tool to verify a parameterized version of Fischer’s protocol. The 
purpose of th d protod ol is to guarantee mutual exclusion in a concurrent system 
consisting of an arbitrary number of processes. The example was suggested by 
Schneider et al. [SBK92] . The protocol analysed here is in fact a weakened version 
of Fischer’s protocol but since the set of reachable states of the weakened version 
is a superset of the reachable states of the original protocol, the results of our 
analysis are still valid. 




Fig. 3. Fischer’s Protocol for Mutual Exclusion 



□ 

The protocol consists of each process running the code which is graphically 
described in Figure 3. Each process i has a local clock, a;,, and a control state, 
which assumes values in the set {A, B, C, US'} where A is the initial state and 
CS is the critical section. The processes read from and write to a shared variable 
V, whose value is either T or the index of one of the processes. 

All processes start in state A. If the value of the shared variable is T, a 
process wishing to enter the critical section can proceed to state B and reset its 
local clock. From state B, the process can proceed to state C within one time 
unit or get stuck in B forever. When making the transition from B to C, the 
process resets its local clock and sets the value of the shared variable to its own 
index. The process now has to wait in state C for more than one time unit, a 
period of time which is strictly greater than the one used in the timeout of state 
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B. If the value of the shared variable is still the index of the process, the process 
may enter the critical section, otherwise it may return to state A and start over 
again. When exiting the critical section, the process resets the shared variable 
to _L. 

We will now make a model of the protocol in our TPN formalism. The pro- 
cesses running the protocol are modeled by tokens in the places A, B, C, CS, 
A\ B\ and CiSb The places marked with f represent that the value of the 
shared variable is the index of the process modeled by the token in that place. 
We use a place udf to represent that the value of the shared variable is T. A 
straightforward translation of the description in Figure 3 yields the Petri net 
model in Figure 0 q is used to denote an arbitrary process state. 




Fig. 4. TPN model of Fischer’s Protocol for Mutual Exclusion 



In order to prove mutual exclusion we examine the reachability of the exi- 
stential zones stating that at least two processes are in the critical section, i.e., 
the following zones: 

- Zi = {2,Pi,D) where Pi(l) = A (2) = CS 

- Z 2 = {2,P2,D) where A(l) = CS and A(2) = CA 

- Zg = {2,p3,D) where ^(1) = A(2) = CA 

For all three zones D{0,i) = 0, D{i,j) = oo for z j. 

The reachable state space, represented by 45 existential DDDs, takes 3.5 
seconds to compute on a Sun Ultra 60 with 512 MB memory and a 360 MHz 
UltraSPARC-II processor. In the process, pre was computed for 51 existential 
DDDs. 
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Abstract. CPN/Tools is a major redesign of the popular Design/CPN tool from 
the University of Aarhus CPN group. The new interface is based on advanced, 
post- WIMP interaction techniques, including bi-manual interaction, toolglasses 
and marking menus and a new metaphor for managing the workspace. It chal- 
lenges traditional ideas about user interfaces, getting rid of pull-down menus, 
scrollbars, and even selection, while providing the same or greater functionality. 
It also uses the new and much faster CPN simulator and features incremental 
syntax checking of the nets. CPN/Tools requires an OpenGL graphics accelera- 
tor and will run on all major platforms. 



1 Introduction 

Interaction techniques for desktop workstations have changed little since the creation 
of the Xerox Star in the early eighties. The vast majority of today’s interfaces are still 
based on a single mouse and keyboard to manipulate windows, icons, menus, dialog 
boxes, and to drag and drop objects on the screen. While these WIMP interfaces 
(Windows, Icons, Menus, Pointing) are now ubiquitous, they are also reaching their 
limits: as new applications become more powerful, the corresponding interfaces be- 
come more complex. Some users are at a breaking point and are less and less able to 
cope with new software releases [11,12]. 

New interaction techniques, such as toolglasses [4] and marking menus [10], have 
been proposed to reduce this trade-off between power and ease-of-use. Yet such post- 
WIMP interaction techniques tend to be developed in isolation, as the focus of a par- 
ticular research project. As a result, they have not made it into commercial tools even 
though they have been shown to be significantly more efficient than traditional tech- 
niques. CPN/Tools is the first real-size application to combine such advanced interac- 
tion techniques into a consistent interface. The goal of this project is two-fold: first, it 
will provide the CPN community with a new, cutting-edge interface to edit and simu- 
late Coloured Petri Nets; second, it paves the way to a new generation of post- WIMP 
applications that will take advantage of recent advances in graphical interfaces. 
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The CPN2000 Project 

CPN/Tools is a complete redesign of Design/CPN [9], a graphical editor and simulator 
of Coloured Petri Nets (CPNs) developed at Meta Software (USA) and the University 
of Aarhus (Denmark) over the past 10 years and a remote descendant of PeTriPote [1]. 
Design/CPN has a standard WIMP interface, based on direct manipulation, menus and 
dialog boxes. It is in use by over 600 organizations around the world, in both academia 
and industry. Production CPNs can have over a thousand places, transitions and arcs, 
structured into a hundred modules or more. 

The CPN2000 project started in February 1999. We used a highly participatory de- 
sign process, involving the users throughout the design process [14, 9]. Version 1 of 
CPN/Tools was released in April 2000 and is in use by a small group of CPN design- 
ers. Version 2 will be released to a selected set of users outside the project. 

The CPN/Tools interface uses a combination of traditional, recent and novel inter- 
action techniques, e.g. tool palettes, toolglasses, and magnetic guidelines. Integrating 
these interaction techniques together in a consistent way in a single tool proved quite 
challenging. To our knowledge, this had never been done before. We wanted to design 
a system that would strike a better balance between power and simplicity than current 
WIMP interfaces. This led us to define three design principles: reification, polymor- 
phism and reuse [3]. Reification states that any entity in the interface should be acces- 
sible as a first-class object. Polymorphism states that commands should apply to as 
many different object types as possible. Reuse states that any output from the system 
and any input to the system should be reusable later, e.g. in the form of macros. 

The resulting interface has no menu bars, no pull-down menus, no scrollbars, no 
dialog boxes and no notion of selection. Instead, it uses a unique combination of 
floating palettes, toolglasses and hierarchical marking menus, a novel windowing 
model based on pages and binders, and several new interaction techniques such as 
magnetic guidelines to align objects and bi-manual interaction to manipulate objects. 
This interface supports the same or higher level of functionality as the previous De- 
sign/CPN application, yet we have empirical evidence [14, 9, 3] that it is both simpler 
to use and more powerful. 

The rest of this article presents the CPN/Tools interface and outlines the design 
process and implementation. The design process is further described in [14, 9, 3] and 
implementation details and performance data can be found in [2]. 



2 The CPN/Tools Interface 

The CPN/Tools interface requires a traditional mouse and keyboard, plus a trackball 
(or other locator) for the non-dominant hand. For simplicity, we assume a right- 
handed user, but the mouse and trackball can be swapped for left-handed users. The 
keyboard is used only to input text and to navigate within and across text objects. The 
design of the bi-manual interaction follows Guiard’s Kinematic Chain theory [7] in 
which the left hand manipulates the context (container objects such as windows and 
toolglasses) while the right hand manipulates objects within that context. The excep- 
tion is direct interaction for zooming and resizing, which, according to Casalta et al. 
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[6], should give both hands symmetrical roles. CPN/Tools incorporates six primary 
interaction techniques: direct and bi-manual interaction, marking menus [11], key- 
board input, floating palettes, and toolglasses [5]. 

Direct manipulation (i.e. clicking or dragging objects) is used for frequent opera- 
tions such as moving objects, panning the content of a view and editing text. When a 
tool is held in the right hand, e.g. after having selected it in a floating palette, direct 
manipulation actions are still available via a long click, i.e. pressing the mouse button, 
waiting for a short delay (200ms) until the cursor changes, and then either dragging or 
releasing the mouse button. Because of the visual feedback, this multiplexing of tools 
in the right hand is easily understood by users. 

Bi-manual manipulation is a variant of direct manipulation that involves using both 
hands for a single task. It is used to resize objects (windows, places, transitions, etc.) 
and to zoom the content of a page. The interaction is similar to holding an object with 
two hands and stretching or shrinking it. Bi-manual interaction could also be used to 
control the orientation and position of an object. This might be used in the future to 
control the orientation of our magnetic guidelines (see below). 

Marking menus are radial, contextual menus that appear when clicking the right 
button of the mouse. Marking menus offer faster selection than traditional linear 
menus for two reasons. First, it is easier for the human hand to move the cursor in a 
given direction than to reach a target at a given distance. Second, the menu does not 
appear when the selection gesture is executed quickly, which supports a smooth tran- 
sition between novice and expert use. Kurtenbach and Buxton [11] have shown that 
selection times can be more than three times faster than with traditional menus. Hier- 
archical marking menus involve more complex gestures but are still much more effi- 
cient than their linear counterparts. 

Keyboard input is used only to edit text. Some navigation commands are available 
at the keyboard to make it easier to edit several inscriptions in a row without having to 
move the hands to the mouse and trackball. Keyboard modifiers and shortcuts are not 
necessary since most of the interaction is carried out with the two hands on the locator 
devices. 

Floating palettes contain tools represented by buttons. Clicking a tool with the 
mouse activates this tool, i.e. the user conceptually holds the tool in his or her hand. 
Clicking on an object with the tool in hand applies the tool to that object. In many 
current interfaces, after a tool is used (especially a creation tool), the system automati- 
cally activates a “select” tool. This supports a frequent pattern of use in which the user 
wants to move or resize an object immediately after it has been created but causes 
problems when the user wants to create additional objects of the same type. 
CPN/Tools avoids this automatic changing of the current tool by getting rid of the 
notion of selection (see below) while ensuring that the user can always move an ob- 
ject, even when a tool is active, with a long click (200ms) of the mouse. This mimics 
the situation in which one continues holding a physical pen while moving an object out 
of the way. Floating palettes also support bi-manual interaction: the tool held in the 
right hand can be selected in the palette with the left hand, saving round trips to the 
palette. The floating palette can also be held in the left hand and moved next to the 
work area with the left hand, minimizing the time it takes to select a tool. 
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Fig. 1. The CPN/Tools interface. The index is in the left column. The upper-right binder con- 
tains a page with the simulation layer active. The upper-left binder contains a view of the same 
page, at a different scale. The lower binder contains six pages: the page on top shows several 
magnetic guideline (dashed lines). The VCR-like controls to the left belong to the simulation 
floating palette. The toolglass at the bottom is positioned over objects on the page and is ready 
to apply any of the attributes shown. To the right a circular, hierarchical marking menu has been 
popped up on the page and is ready to accept a gesture to invoke one of the commands dis- 
played 

Toolglasses, like floating palettes, contain a set of tools represented by buttons. 
Unlike floating palettes, they are semi-transparent and are moved with the left hand. A 
tool is applied to an object with a click-through action: The tool is positioned over the 
object of interest and the user clicks through the tool onto the object. The toolglass 
disappears when the tool requires a drag interaction, e.g., when creating an arc. This 
prevents the toolglass from getting in the way and makes it easier to pan the document 
with the left hand when the target position is not visible. This is a case where the two 
hands operate simultaneously but independently. 

Since floating palettes and toolglasses both contain tools, it is possible to turn a 
floating palette into a toolglass and vice versa, using the right button of the trackball. 
Clicking this button when a toolglass is active drops it, turning it into a floating pal- 
ette. Clicking this same button on a floating palette picks it up, turning it into a tool- 
glass. 

None of the above interaction techniques requires the concept of selection. All are 
contextual, i.e. the object of interest is specified as part of the interaction. For groups 
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of objects, this requires some concept of group representation to specify which group 
to interact with. In Version 2 of CPN/Tools, we are incorporating features to create 
groups, including dynamic groups resulting from a search, and we are looking at dif- 
ferent ways of addressing this issue. Also, some features of the interface, such as 
magnetic guidelines, described below, reduce the need to work with groups. 

Preliminary results from our user studies [14, 9] make it clear that none of the 
above techniques is always better or worse. Rather, each emphasizes a different, but 
common, pattern of use by using a different syntax: 

• object-then-command', point at the object of interest, then select the command from 
a contextual marking menu; 

• command-then-object: select a command by clicking a tool in a floating palette, 
then apply the tool to one or more objects of interest; 

• command-and-object: select the command and the object simultaneously by click- 
ing through a toolglass or moving it directly. 

As a result, marking menus work well when applying multiple commands to a single 
object. Floating palettes work well when applying the same command to different 
objects. Toolglasses work well when the work is driven by the structure of the appli- 
cation objects, such as working around a cycle in a Petri net. 

The Workspace Manager 

Coloured Petri Nets frequently contain a large number of modules. In the existing 
Design/CPN tool, each module is presented in a separate window and users spend time 
switching among them. In CPN/Tools we have designed a new window manager to 
improve this situation: the Workspace Manager. 




Fig. 2. Tabs for the pages in a binder 

The workspace occupies the whole screen (figure 1) and contains window-like ob- 
jects called binders. Binders contain pages, each equivalent to a window in a tradi- 
tional environment. Each page has a tab similar to those found in tabbed dialogs (fig- 
ure 2). Clicking the tab brings that page to the front of the binder. A page can be 
dragged to a different binder with either hand by dragging its tab. Dragging a page to 
the background creates a new binder for it. Dragging the last page out of a binder 
removes the binder from the screen. Binders reduce the number of windows on the 
screen and the time spent organizing them. Binders also help users organize their work 
by grouping related pages together and reducing the time spent looking for hidden 
windows. 

CPN/Tools also supports multiple views, allowing several pages to contain a repre- 
sentation of the same data. For example, the upper-right page in figure 1 shows a 
module with simulation information, while the upper-left page shows the same module 
without simulation information and at a smaller scale. 
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The left part of the workspace is called the index (top left, figure 1) and contains a 
hierarchical list of objects that can be dragged into the workspace with either hand. 
Objects in the index include toolglasses, floating palettes and Petri net modules. Drag- 
ging an entry out of the index creates a view on its contents, i.e. a toolglass, a floating 
palette or a page holding a CPN module. 

Pages and binders do not have scrollbars. If the content of a page is larger than its 
size, it can be panned with the left button of the trackball, even while the right hand is 
using the mouse to, for example, move an object or invoke a command from a mark- 
ing menu. Getting rid of scrollbars saves valuable space but makes it harder to tell 
how much of the whole document is being displayed. A future version will use the 
borders of the page to show what portion of the document is viewed in a non-intrusive, 
space-saving way. 

Resizing a binder and zooming the contents of a page involves direct bi-manual in- 
teraction (as described above). Unlike traditional window management techniques, 
using two hands makes it possible to simultaneously resize and move a binder, or pan 
and zoom the contents of a page at the same time. Clicking the right button of the 
mouse on the page tab or on the binder pops up a contextual marking menu with addi- 
tional commands to close, collapse, expand the page or create a new page with the 
same content. 

Creating and Laying out Objects 

Creation tools are accessible via the following interaction techniques: The user may 
select the appropriate object from the floating palette, move to the desired position and 
click, or use the left hand to move the toolglass to the desired position and click- 
through with the right hand, or move to the desired location and make the appropriate 
gesture from the marking menu. 

Our user studies showed that users of Design/CPN spend a great deal of time cre- 
ating and maintaining the layout of their Petri net diagrams. The primary technique is 
a set of align commands, similar to those found in other drawing tools. The limitation 
is that they align the objects at the time the command is invoked, but do not remember 
that those objects have been aligned. We observed that most users use the same pattern 
to move an object: They manually select all objects aligned to the object of interest 
and move them as a group. This dramatically slows down the interaction. 

In order to facilitate the alignment of objects, we have introduced horizontal and 
vertical magnetic guidelines. Guidelines are first-class objects that are created in the 
same way as the elements of the Petri net model, i.e. with tools found in a pal- 
ette/toolglass or in a marking menu. Guidelines are displayed as dashed lines (figure 
1) and are magnetic. Moving an object near a guideline causes the object to snap to the 
guideline. Objects can be removed from a guideline by clicking and dragging them 
away from the guideline. Moving the guideline moves all the objects that are snapped 
to it, thus maintaining the alignment. An object can be snapped simultaneously to a 
horizontal and a vertical guideline. 

We have designed, and will implement, additional types of guidelines. For exam- 
ple, rectangular or elliptical guidelines would make it easier to layout the cycles com- 
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tnonly found in Petri nets. We also plan to support spreading or distributing objects 
over an interval within a line segment, since this is a common layout technique. Add- 
ing these new types of guidelines may create conflicts when an object is snapped to 
several guidelines. One solution is to assign weights to the guidelines and satisfy the 
alignment constraints of the guidelines with heaviest weight first. Such conflicts do 
not exist in the current system because only horizontal and vertical guidelines are 
available. 

Editing Attributes 

The tools to edit the graphical attributes of the CPN elements are grouped in a pal- 
ette/toolglass that contains five rows (figure 3): two rows of color swatches, a row of 
lines with different thicknesses, a row of lines with different dash patterns and a row 
for user-defined styles. The first four rows are fairly standard and are not described 
further here. 




Fig. 3. Toolglass for editing attributes 



Tools in the last row correspond to the reification of groups of graphical attributes 
into styles. Initially, each tool in this row is a style picker. Applying this tool to an 
object copies the object’s color and thickness into the tool and transforms the tool into 
a style dropper. Applying a style dropper to an object assigns the tool’s color and 
thickness to that object. Applying a style dropper to the background of the page emp- 
ties it and turns it into a style picker. If this is done by mistake, the undo command 
restores its previous state. In practice, style pickers and style droppers make it very 
easy and efficient for users to define the styles they use most often and apply them to 
objects in the diagram. 

In Version 2 objects will remember which style they belong to (like in, e.g., Micro- 
soft Word) and it will be possible to edit the attributes of a style in the toolglass itself. 
This will affect all the objects that use this style, saving repetitive editing. 
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Simulation Tools 

Once a CPN model has been created, the developer runs simulations to validate it. 
CPN/Tools uses the new simulator developed by the University of Aarhus CPN group 
[8], which is up to 1000 times faster than the previous one used by Design/CPN. The 
simulator runs as a separate process and communicates with the tool asynchronously 
over a TCP/IP network connection. 

CPN/Tools displays simulation information in a simulation layer that can be added 
to any page via a tool in a palette, toolglass or marking menu. When the simulation 
layer is active, the background color of the page changes, the number of tokens are 
displayed as small green disks, the token colors are displayed as yellow text annota- 
tions, and enabled transitions are displayed with a green halo (figure 4). Each of these 
types of feedback can be toggled on or off using the tools in the simulation palette or 
toolglass (figure 4, top row of the palette). 



l'(l,"Moddllii") 




Fig. 4. Simulation palette (left) and simulation information (right) 

Running the simulation involves compiling the net into ML code based on the 
structure of the net and the text inscriptions. The net is checked incrementally as the 
user edits it. This saves a lot of time compared with Design/CPN where switching to 
simulation mode could take several minutes. Checking and simulating the net may 
result in syntax errors and run-time errors. In both cases, error messages are displayed 
as red “bubbles” next to the location of the error. The object that caused the error has a 
red halo. Since the error may occur in a page that is not on top, the red halo also ap- 
pears in the tab of any page that has an error. 

CPN/Tools uses a video tape player metaphor to control the simulation (figure 4, 
bottom row of the palette). Next frame lets the user select a transition to fire. Play 
randomly fires enabled transitions until a deadlock is reached or the user hits the stop 
button. Fast-forward runs the simulation at full speed for a maximum number of steps 
set by the user, displaying only the final state. Rewind resets the net to its initial state. 
The Next frame command is polymorphic: If applied to an enabled transition, it fires 
that transition. If applied to a page, it fires a randomly selected transition within the 
page. If applied to a binder or to the workspace, it fires a randomly selected transition 
within the pages of the binder or the whole model, respectively. 
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3 Design Process and Implementation 

The design process of CPN/Tools followed an incremental and user-centered ap- 
proach. We studied both novice and expert users of Design/CPN and identified a num- 
ber of areas for improvement, e.g. window management, layout, management of 
graphical attributes, alignment, interface with the simulator. We then worked with a 
group of users to design the new system together [9]. We showed them examples of 
novel interaction techniques such as toolglasses or pen input. We conducted brain- 
storming sessions to generate ideas for the new design. We used short scenarios such 
as creating editing an existing net or laying out a net created by someone else to in- 
form the design of the new system. We organised workshops with users where we 
created paper prototypes of the new system and videotaped them [14]. These video 
prototypes became precise enough to be used by the developers to implement the 
system: they served as specification of what the interface should do. Finally, when the 
first version of the CPN/Tools was functional, we conducted user studies to evaluate 
the design. These studies showed that the new interface was easy to learn and con- 
firmed that the preferred interaction technique changes according to the user and the 
context of use. This led us to integrate palettes, toolglasses and marking menus even 
further into a consistent interface rather than select a single technique [3]. 

The implementation of the system is based on a software architecture with three 
main components [2]: document management, input and rendering. This architecture 
is generic and could be reused for other applications. The simulator runs in a separate 
process and communicates with the editor using an asynchronous protocol. Documents 
represent top-level objects such as CPN diagrams, tool palettes and the index. Docu- 
ments can be saved to disk in XML. This allows users to exchange CPN diagrams as 
well as tool palettes, supporting the customization of the system. Input management 
implements the interaction techniques. It manages a set of interaction instruments, 
which modify the document structure when activated by the user. Rendering is in 
charge of displaying the document structure after it has been modified. We decided to 
use OpenGL for rendering since hardware-accelerated graphics card are becoming 
cheaper and faster. OpenGL allows us to use advanced graphical effects, e.g. transpar- 
ency. It also supports portability: CPN/Tools will run with the same code base on 
Windows, Unix/Linux and MacOs. 

4 Conclusion and Future Work 

We have described the interface of CPN/Tools and shown how it supports a combina- 
tion of advanced interaction techniques in a post- WIMP interface. Version 1 is func- 
tional and already in use by a small group of users. We are currently working on the 
next version that will incorporate new features and improvements, based on the same 
design principles and overall approach. 

Version 2 will support groups, specified either explicitly by designating the objects 
in the group or indirectly through a query, e.g. to find all places with a given color set. 
The interface will be customizable: users will be able to compose their own pal- 
ettes/toolglasses and exchange them with other users. Styles and guidelines will be 
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improved, and context-sensitive help will be available throughout the interface. We 
are looking forward to the release of CPN/Tools to the wider Petri Nets community to 
collect valuable feedback for the next iteration of the design. 
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Abstract. This paper presents an embedded Discrete Event System 
(DES) design and realization methodology combining the advantages of 
system modeling based on the Petri Net (PN) formalism and implemen- 
tational efficiency of a proposed dedicated programmable event-driven 
controller. A DES is initially modeled as communicating plant and con- 
troller nets which concisely capture concurrent behavior of the system 
and yield themselves to formal analysis techniques. The control specifi- 
cations are subsequently compiled into the compact executable binary 
code according to the lean net encoding scheme and stored in a com- 
mercially available programmable parallel read only memory (PROM). 
The controller executes the PN control code in an event-driven man- 
ner responding to the external events and concurrently tracking multiple 
execution threads. The 8-bit prototype of the controller has been fab- 
ricated in 0.35 fim CMOS technology. Operating at 80 MHz it delivers 
fast response times, power efficiency and transition bring rates of up to 
4 million transitions per second. 



1 Introduction 

Numerous industrial and consumer oriented electronic systems operate in en- 
vironments where interaction with a user or another system is an important 
issue. Many of them perform specific control functions, exhibit interactive or 
reactive behavior and are implemented as embedded systems. Embedded sys- 
tems are treated here as a special implementation case of a broader class of 
systems known as Discrete Event Systems (DES). One of the firmly established 
formalisms used to design and analyze such systems is a family of formalisms 
known as Petri Nets (PN). Though modeling of systems using PN has been 
pursued extensively USES], their implementations in hardware have received 
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much less attention. This paper addresses modeling of embedded discrete event 
control systems and presents a Petri Net Decision Unit (PNDU) which is a ded- 
icated programmable controller designed solely to process control tasks specified 
in terms of Petri Nets. The PNDU is a single chip device fabricated in the year 
2000 and according to the literature survey appears to be the first integrated 
circuit of its kind. This paper is the first publication presenting the measured 
performance results of the PNDU. 

The paper first gives an overview of different kinds of hardware implementa- 
tions of Petri Net based controllers. Sectional defines embedded DES and relates 
them to Petri Nets. Section 0] gives a formal definition of the executable Petri 
Net control specifications and presents the proposed PN-based system design 
methodology. Section 0 covers the compilation of the control specifications and 
outlines architectural features of the PNDU. 



2 Hardware Implementations of Petri Nets: An Overview 

Just within ten years after their inception by Carl Adam Petri in 1962 [T^ . 
Petri Nets were already applied to the modeling of asynchronous event-driven 
hardware structures HH. Since that time, PN have been used in the design of 
systems at different levels of abstraction. Hardware structures manifest them- 
selves in many different types of implementations. It is worthwhile to distinguish 
hardwired implementations from programmable ones, since only programmable 
hardware implementations are relevant to the subject of this paper. 



2.1 Hardwired Implementations Based on Petri Nets 

Hardwired implementations are realizations of a particular function or algorithm 
in a digital electronic system such that the system may only be used for one spec- 
ified application. The executing hardware resources are fixed and the algorithm 
is also fixed as it is mapped directly into hardware. The very first attempt at 
mapping the executable Petri Net specifications directly in hardware was based 
on speed-independent switching circuits which operate without a global clock 
signal m- This initial work was subsequently applied to the design of an asyn- 
chronous logic array, which was already a programmable implementation m 
The pioneering work on speed-independent circuits HU was later taken up 
by numerous research groups. Today, there is a maturing research field known as 
design of asynchronous circuits and systems where special classes of Petri Nets 
are used to model asynchronous logic or system behavior. Remarkably, there 
exist research software tools which synthesize self-timed digital circuits specified 
in terms of labeled Petri Nets. A comprehensive overview of the hardwired digital 
circuit design based on Petri Nets, latest research achievements in this field and 
a list of software tools is given in HZ]. 
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2.2 Programmable Implementations Based on Petri Nets 

Programmable implementations are realizations of an algorithm in a digital sys- 
tem such that the system itself may be used for more than one application. The 
computing resources are fixed; however, the algorithm is stored in a semiconduc- 
tor memory and may be altered upon requirements. All system realizations based 
on processors, microprocessors or processor-like controllers are programmable 
implementations. Two kinds of programmable implementations are realizations 
using commercially available devices and custom designed or dedicated ones. 

Here is a brief overview of programmable implementations based on com- 
mercially available computing platforms. The list is by no means exhaustive as 
it is only used to emphasize the variety of choices. For example. Programmable 
Logic Controllers (PLC) able to execute Petri Net control specifications were 
proposed in m- The PLC used processor cards with ZILOG 80A microproces- 
sors. A controller for a machining workstation employing a VAX 11/780 was 
described in |^. A low cost programmable controller suitable for real-time ap- 
plications was presented in cni. It was a single-chip design using the INTEL 
8031 microcontroller. All these implementations were ultimately restricted by 
a general-purpose computing architecture of commercial devices which do not 
inherently behave in an event-driven manner. Since the computing hardware 
was provided, the remaining task was to properly configure devices. The main 
challenge in such implementations was to design software that would meet per- 
formance specifications. 



Custom Programmable Controllers. Substantially more efficient hardware 
implementations are achieved with dedicated Petri Net based programmable 
controllers. This is due to special attention given simultaneously to both hard- 
ware and software aspects of the implementation. Since at the starting point 
of the design larger degrees of freedom are provided for hardware and software 
the final solution is expected to be more efficient compared to implementation 
solutions deploying off-the-shelf devices. 

For example, a programmable controller based on a custom ASIC (Applica- 
tion Specific Integrated Circuit) memory was estimated to perform two orders 
of magnitude faster as compared to microprocessor-based implementations |E|. 
The executable specification based on Petri Nets was mapped to memory in a 
tabular form. The table had to have a fixed number of places and transitions 
corresponding to the desired net size. A special fire unit performed transition 
fire checks and actual firing in response to the incoming input events. However, 
at the heart of this implementation and also its subsequent proposals was the 
requirement to use ASIC memory with a very wide word. Furthermore, the en- 
coding of the net demanded a substantial amount of memory per place-transition 
combination. Manipulating large amounts of data on wide buses consumes much 
power and custom chips with a large pin count are expensive. The cost effec- 
tiveness additionally suffers from the fact that the memory must be custom 
manufactured. 
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An independently developed concept proposing to utilize commercial semi- 
conductor memory in conjunction with a dedicated programmable controller was 
first mentioned in Here, an executable PN control specification was com- 
piled into machine code employing a very lean net encoding scheme. The code 
could be programmed into a conventional EPROM (Electrically Programmable 
Read Only Memory) or EEPROM (Electrically Erasable PROM). The con- 
troller, known as a Petri Net Decision Unit (PNDU), was proposed to perform 
a token player or Petri Net interpreter function directly in hardware (Fig. E:). 
Its responsibilities were to respond to the external stimuli in an event-driven 
manner. First, the appropriate place-transition block of information was loaded 
from the PROM. Subsequently, the decision which transitions (if any) should 
fire was made based on the validity of the input signals. Fired transitions pro- 
duced new output signals. Interfacing the controller with conventional memory 
offered a high degree of flexibility because the external PROM could be easily 
re-programmed and the controller provided the computing resources necessary 
for executing the Petri Net control specifications. 

The major limitation of this first PNDU version was the fact that the Petri 
Nets were restricted to the state machine class. This implied, first of all, that the 
hardware of the PNDU was relatively simple. However, complex nets had to be 
transformed before compilation. Concurrent execution traces or processes had to 
undergo parallel composition of their individual state spaces. Therefore, software 
size grew exponentially with respect to the number of concurrent processes. 

These limitations were addressed in the second version of the PNDU which 
was designed to process free choice nets ^ . This required more intelligent hard- 
ware, namely, a larger circuit. However, now the PNDU could directly process 
both marked graphs and state machines. The amount of pre-compilation trans- 
formations was reduced and the concurrency was explicitly exploited in the net 
encoding. As a result, software size grew linearly with respect to the number of 
concurrent processes. The PNDU locally tracked movement of concurrent tokens 
in the net and fired appropriate transitions in response to the incoming external 
events. At any given time, it processed only marked or active places thus avoiding 
the need to consider the whole net at once. 

The functionality of the PNDU was extended even further in its third version 
proposed in |3|. In the sequel, any reference to the PNDU will be understood 
to refer to the third version unless otherwise explicitly stated. The improved 
hardware architecture of the PNDU now allows direct processing of all possible 
Petri Net constructs belonging to state machines^ marked graphs, free choice, 
extended free choice, asymmetric choice classes, and beyond. The degree of pre- 
compilation transformations is minimal and the explicit support of concurrency 
ensures that the implementation of complex interactive control behavior is as 
simple as possible. A lean net encoding scheme allocates 4 to 8 memory lines 
(16/32/64 bits/line) per transition block. Consequently, the software is very com- 
pact as its size is directly proportional to the number of transitions in the net. 
Section 0 describes hardware and software architectural features of the PNDU. 
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3 Embedded Discrete Event Systems 

Discrete Event Systems are dynamic time-invariant non-linear systems 0. Their 
state space is a discrete set. State transitions are event-driven and are assumed 
to be instantaneous. They are triggered in response to asynchronously occurring 
discrete events. The state remains unchanged until new events arrive. A discrete 
event control system is typically modeled as a plant (or environment) and a 
controller as shown in Fig. ^). This configuration will be referred to as an 
aggregate system. An event produced by the plant is an action which takes place 
within the plant and is referred to as a plant event. An event occurring within a 
controller is called a controller event. 




a) 




b) 




c) 



Fig. 1. A Discrete Event System from conception to implementation 



In a reactive DES, the controller has an ongoing interaction with the plant |0|. 
It continuously receives plant events through sensors, processes them, keeps track 
of the aggregate system’s state, and produces controller events which are com- 
municated back to the plant through actuators. It is assumed that the system 
is always able to react to plant events and it responds fast enough such that 
the plant is still receptive to controller events. An implementation of a system 



86 



S. Bulach et al. 



is a realization of an abstraction in terms of hardware, software, or both. Re- 
active applications requiring strict timing constraints to be met are referred 
to as real-time systems. When an implementation is restricted by the number 
of input/output channels, performance, size, cost, and power consumption the 
system is said to be an embedded system. 

This paper considers embedded implementations of reactive untimed discrete 
event control systems. They will be assumed to fulfill soft real-time require- 
ments, such that the correct operation of the system is sustained even if there is 
an occasional failure to meet the deadline. Untimed DES concentrate on logical 
behavior of the system disregarding at which point in time a transition to a 
given state is triggered, how long a transition itself lasts or how long the system 
remains in that state. The sequence of input events arriving from the plant is de- 
noted as {cpi, 6 p 2 , Cp 3 , ..., 6 pn} without precise reference to the exact arrival time. 
Such systems are adequately represented by state automation and Petri Nets. 
However, Petri Nets are inherently superior for problems involving interactive 
concurrent behavior (see Fig. ED- 



4 Petri Nets for Embedded Systems 

One of the popular definitions of Petri Nets as Place- Transition nets (PT-nets) 
is: PN = (P, T, 4, W, Mq), where P is a finite set of places, T is a finite set of 
transitions, A is a finite set of arcs determining a flow relation, VP is a weight 
function, Mq is the initial marking [t)l 1 ,8] . A set of input/output places to/from 
transition tj are denoted by I{tj) and 0(tj), respectively. A set of input/output 
transitions to/from place pi are given as I{pi) and 0{pi), respectively. A PN 
is called ordinary if all of its arc weights are I’s. A PN is safe if for all firing 
sequences a place may contain no more than one token. A PN where for all 
possible markings the total number of tokens in the net never exceeds some 
upper limit K will be referred to as eapaeity-K eonservative. 

4.1 Modeling Power versus Decision Power 

Modeling power of a PN is its ability to properly and efficiently represent real sys- 
tems or processes. It is inversely proportional to the model size. Decision power 
of a PN is inversely related to the complexity of computation and the amount of 
computing resources required to determine various properties and to execute the 
net. To execute a PN means to perform a control function described in terms of 
the PN. Structural restrictions produce new subclasses of PN, reduce modeling 
power of the net, lose important nuances of a real system and increase the model 
size. However, they increase decision power, ease the analysis and execution of 
the net. Extended Petri Nets, such as High-level Petri Nets (HLPN), better cap- 
ture fine details of a real system and decrease the model size. At the same time, 
more intelligent computing resources are required to analyze and execute them. 
The relationships between modeling and decision powers, computing resources 
and model size are intuitively depicted in Fig. El The conflicting objectives in the 



Petri Net Based Design and Implementation Methodology 



87 



design of embedded systems are to maximize the modeling and decision powers, 
and to minimize the model size and the amount of computing hardware. 




LEGEND : 

DP = decision power 
MP = modeling power 

MS = model (code) size 
CR = computing resources 



Fig. 2. Modeling power versus decision power of Petri Nets 



Petri Net Classes and Extensions. Based on their structural features five 
subclasses of general Petri Nets are distinguished. Arranged in ascending order 
they are: state machines (SM) and marked graphs (MG) — >■ free choice (PC) 
— >■ extended free choice (EFC) — >■ asymmetric choice (AC) — >■ general Petri Nets 
PITSI . State machines model choice situations through their conflict {\0{pi)\ > 1) 
and merge (\I(pi)\ > 1) constructs. They can equivalently represent state au- 
tomation. Marked graphs model synchronization and production through their 
fork (|0(tj)| > 1) and join {\I{tj)\ > 1) constructs. Free choice nets comprise 
both state machines and marked graphs but no transition may simultaneously 
be part of choice and join constructs. Extended Free Choice relax this restric- 
tion. A PN construct where conflict and synchronization are mixed together is 
known as a confusion. FC nets admit no confusion, AC nets allow asymmetric 
confusion and general PN permit symmetric confusions. FigureEliUustrates that 
transformations from a higher to the lower PN class increase the net size. Using 
state automation to model concurrent behavior ultimately results in larger nets. 
In order to minimize the model size the PN executing hardware must be able to 
process all PN classes. 

Extensions which increase PN modeling power (Fig.|2D, and simplify model- 
ing and implementation of DES control algorithms are: token colour, transition 
guards, priorities of conflicting transitions and time delay expressions 0. 
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4.2 Modeling Plant and Controller as Petri Nets 

The complete logical behavior of an aggregate system consisting of a plant and 
a eontroller is captured by an aggregate Petri Net consisting of a plant Petri 
Net, interface structure and a control Petri Net (Fig. It is convenient to 
consider their behavior separately, but to allow an on-going interaction between 
them through the input and output communication channels. In each net, events 
are represented by transitions and places are associated with transition enabling 
conditions. For an event to occur certain preconditions which depend on the state 
of the aggregate system must be true or valid. When an event occurs, current 
preconditions become invalid and a set of postconditions is produced. 

Interface arcs represent collections of signal wires or buses between the plant 
and the controller, while interface places represent registers. The two nets ex- 
change tokens which are boolean logic valued vectors. An interface place can 
hold at most one interface input or output token since at any given instant a bus 
can only hold one value. Hence, interface places must be safe and interface arcs 
must be ordinary. Plant tokens and controller tokens model execution threads 
within the plant and the controller, respectively. Thus, an aggregate PN must 
be ordinary and safe in order to have a real meaning. 

Control Executable Petri Net. An Aggregate Petri Net (APN) is formally 
defined as a tuple: 



pPN is a plant Petri Net, 

/S' is an interface structure, 

cePN is a control executable Petri Net. 

A control executable Petri Net (cePN) is defined at the level where it can be 
directly compiled into the binary executable format. It is a tuple: 



C is a set of control colours, C = {control,iin,iout, state}, where 

control S // = {0, 1}, is of boolean type; 

iin = [11*2*3-. .*i] is a boolean vector corresponding to the product of inter- 
face input variables, [****[ = number of input channels; each ij G B = 
{0, 1}, is of boolean type; 

iout = [01O2O3...O0] is a boolean vector corresponding to the product of 
interface output variables, |*oitt| = number of output channels; each 
Oj £ // = {0, 1}, is of boolean type; 

state = [(Ticr2<73...(Tcr] is a boolean vector corresponding to the product of 
internal state variables, j state j = number of bits in the internal state 
registers; each aj G B — {0, 1}, is of boolean type; 

P = {pi,P2,P3, ■■■,Pp} is a finite set of control places; 

P start is a special starting source place, I {p start) = 0; 



APN = (cePN,IS,pPN) , where 



( 1 ) 



cePN = {C, P, T, A, K, 7T, Pre, Post, S, Mq) , where 



( 2 ) 
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T = {ti,t 2 ,t 3 , is a finite set of control transitions] 

Tdummy C T is an optional set of dummy transitions required for correct 
resolution of asymmetric confusion constructs; 

A C (P xT)U{T X P) is a finite set of control arcs determining a flow relation; 
it is assumed that arcs transfer tokens only of the colour associated with 
their corresponding input or output places; 

K : P — >■ C is a colour function defined from P into C, mapping each place to 
a specific type; 

7T is a priority function which must be specified for each output arc of a place: 

VA e 0(pj), 7T : {1,2,3, if \0{pj)\ = m, and 

Tr{A{0{pm))) = Tr{A{0{pn))) = a for each ta G (0{pm) n 0(p„)) ; 

Pre = [gig 293 ---gg] is a guard or precondition expressed as a product of vari- 
ables, such that 9 j G Pa, = {0, l,x}, where is a boolean type extended 
with a don’t care value x; note that |Pre| = \iin\ + \state\; 

Post = [ci<? 2 ‘^ 3 --Ncr] is a postcondition expressed as a product of variables, such 
that G Bj; = {0,1, a;}, where B^ is a boolean type extended with a don’t 
care value x; note that \Post\ = \iout\ + \state\ ; 

S = [siS 2 S 3 ---) So] is an optional subroutine address expressed as a boolean 
vector, Sj £ B — {0, 1}; 

Mo is the initial control marking, such that M{pstart) = 1, M{pun) = M{piout) 
= M{pstate) = [000. ..0], and the remaining places are unoccupied. 

Token colour allows to distinguish between tokens and places which can be of 
the following types: control, interface input, interface output, and state (Fig.0). 
Control and plant tokens are denoted as and respectively. They flow 
only through their respective nets. Tokens of the colour iin are boolean vectors 
of plant events received through the interface input place pun- Tokens of the iout 
colour are boolean vectors of control events that are sent out through the place 
Piout- A state place p state with its associated state colour is used only to simplify 
hardware resolution of synchronization constructs. To avoid visual cluttering, 
arcs to/from pun, Piout and Pstate should be omitted. 

Place Pstart is used as a starting source place for the execution of the control 
algorithm. Upon initialization, it contains a”*” token, places pun, Ptout smdpstate 
contain boolean zero vectors [000. ..0], while the remaining places are unoccupied. 
Hence, the resetting of a controller is correctly represented by the initialization of 
the control net. Dummy transitions are used for correct resolution of asymmetric 
choice constructs. Each regular control transition has a precondition or guard, 
postcondition and an optional subroutine address associated with it. The guard 
consists of two components: a input precondition denoted as {Preun{tj)) and a 
state precondition denoted as {Prestate{tj))- The input precondition is related 
to the input token coming from the place pun and is denoted by the prefix T 
in front of the guard. The state precondition is related to the tokens coming 
from the state place, Pstate, and is denoted by a prefix ’S’. Both components 
of the guard are located in the upper left corner of a transition (Fig. EJ- The 
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postcondition consists of a state postcondition denoted as {Postiout{tj)) and 
an output postcondition denoted as {Poststate{tj))- They are denoted by the 
prefixes ’S’ and ’O’, respectively, and are located in the upper right corner of 
the transition box. The subroutine address is denoted by the prefix ’Sr’ and is 
graphically located below the postcondition elements. It points to the subroutine 
which may be executed by an optionally interfaced computing device. 




Conflicting transitions belonging to the same input place must have a unique 
priority assigned in ascending order by the function tt : A ^ {1, 2, 3, ..., j}. Prior- 
ity determines the sequence in which enabled conflicting transitions are tested for 
firing, with the highest priority denoted by ’!’. This prevents nondeterministic 
behavior of an execution thread, increases the modeling power of the cePN and 
produces compact constructs even for complex enabling preconditions. Priority 
also simplifies hardware execution of choice and other constructs because the or- 
der in which conflicting transitions are tested is fixed by their position within a 
place block. Arc belonging to the same join construct must have identical priority 
to ensure correct processing in hardware. 

A transition tj is enabled when an enabling condition 

Etj = y Pi € {I{tj) : K{I{tj)) = control}, M{pk) = 1 

/\y Pm & ■ K{I{tj)) = iin], {PrCiinitj)) = var{pun) (4) 

A V G ■■ K{I{tj)) = state}, {PrCstate{tj)) = var{pstate) , 

is satisfied. {Preun{tj)) = var{pnn) states that the value of the interface input 
token in place pun (denoted as var(pun))) must match the input precondition. 
Enabled transitions fire and remove control tokens from the control input places. 
However, the state token of colour B is never really removed from the Pstate place 
but is overwritten with the new state postcondition value of colour such that 
the bits denoted by x retain their previous values. Also the interface output 
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token of colour B is overwritten with the output postcondition value of colour 
Bx- 

In addition to being safe and ordinary, the cePN must also have a max-K 
capacity limit since an infinite number of control tokens cannot be supported in 
hardware. The value of K is dictated by the number of slots in the PNDU. 

Interface Structure. An interface structure (IS) has all elements defined 
identically to the cePN such that IS = {iC,iP,iT,iA,iK,iMo). It may be a 
simple register module as shown in Fig.^ or a First In First Out (FIFO) module. 
In either case, it contains an input bus and an output bus, each transferring tokens 
of either iin or iout colour. Care should be taken when modeling the interface 
structure of a real physical system where new events overwrite old ones. 



Plant Petri Net. A plant Petri Net (pPN) defines all elements except pAD 
identically to the cePN: pPN = {pC,pP,pT,pA,pK,pPre,pPost,pAD,pMo), 
where pAD is an output arc delay expression, given as a positive real number. 

The structure and behavior of the plant Petri Net is less restricted than 
the cePN since it is not an executable specification but a testbench. It does 
not have to be safe and ordinary and must only deposit tokens corresponding to 
the appropriate events into the interface places at desired time instances through 
the plant postconditions. For interactive applications where behavior of the plant 
depends on control stimuli, plant transitions use preconditions (Fig.Q. 
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Fig. 4. Example of an Aggregate Petri Net 
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4.3 Petri Net Based System Design Methodology 

The overall system design methodology based on Petri Net formalism is shown 
in Figure El The starting point may be as abstract as desired, such that a system 
may be initially specified using High-Level Petri Nets. However, it is advisable to 
separate the aggregate system into the plant, interface and control nets already 
at this level. Simulations and formal analysis techniques should be applied to 
verify the correctness of the modeled system. If it does not meet the specifications 
the system should be redesigned. 




IMPLEMENT ON PNDU 
Fig. 5. PN based system design methodology 



If the aggregate system meets the specification at the high level, it is trans- 
formed into the control executable, interfaee structure and plant Petri Nets such 
that they conform to the definitions described Sect.El At this level, the control 
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executable Petri Net takes into account limitations imposed by the hardware 
architecture of the PNDU. The cePN must be ordinary, safe and have a fixed 
net capacity. If the control net at this level contains more tokens than allowed by 
the capacity, some execution threads must undergo parallel composition. This 
should be done until the maximum number of tokens does not exceed the net 
capacity. Join and fork constructs may also need to be transformed. First of 
all, all synchronizations become explicit through the use of the internal state 
register represented by the place p state- Places that need to be synchronized 
must have appropriate state variables set through the postconditions of their 
respective input transitions. Hence, the number of input places per transition 
is limited by the width of the state vector of the control net. Therefore, if a 
join construct synchronizes more input places than is permitted by the width 
of the state vector, the synchronization should be cascaded into several steps. 
Due to the fixed net capacity, the fork construct should avoid producing more 
tokens than can be accommodated in hardware. Moreover, there is a limit on the 
number of output places per transition. Therefore, some execution threads may 
need to be combined through the parallel composition or their invocation should 
be postponed until some of the execution threads are terminated. Note that at 
this level all conflicting transitions belonging to the same enabling marking will 
be assigned a unique priority number. Additional transformations may involve 
converting abstract input and output tokens into binary vectors of the type iin 
and iout. 

Again, simulations and formal analysis should be applied at this level to verify 
the correct behavior of the aggregate system. If it is satisfactory, the control 
executable Petri Net is ready for compilation. If not, redesign either at this or 
at the high level is required. The compiled object code may be first simulated 
on a C or VHDL executable model of the PNDU which is especially useful for 
verification of timing constraints. If the simulated code meets the specifications, 
it is then programmed into a programmable memory (EPROM or EEPROM). 
At this stage the control executable Petri Net is implemented in software and 
the controller is ready to take over the control of the plant. 

5 Architecture of the Petri Net Decision Unit 

5.1 Memory Format 

The control executable Petri Net is compiled into machine code according to 
the memory format shown in Figures El and O The resulting code is a list of 
place blocks with their respective transition blocks. Place and transition blocks 
are unambiguously accessed since they have unique addresses in the compiled 
machine code. Figure El shows the encoding scheme for the base format with an 
8-bit address bus and a 16-bit data bus. The ratio 1:2 between the address and 
data bus provides reasonable trade-offs between the bus power dissipation, la- 
tency of transition block access times and memory capacity measured in number 
of transition blocks. The memory format is scalable and Table d illustrates the 
effect of scaling. 
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transition block 



line 1 



line 2 



line 3 



line 4 

PiPo 

line 5 00 



line 6 01 



line 7 10 



line 8 11 



dummy transition 

15 9 8 7 1 0 

0...0 1 0...0 1 line 1 



input mask 



state 

precondition 
mask 



state 

postcondition 
mask 



output mask 





conflict 

bit 




input value 










Pi 




state 

precondition 










even 

bit 




state 

postcondition 

value 










sink 

bit 




output value 





diimmy 

bit 



siibr . 
bit 



not 

used 



siibroutine address / 
output place 1 



output place 1/2 



output place 2/3 



output place 3/4 



output place 4/5 



output place 5/6 



output place 6/7 



output place 7/8 



Fig. 6. Memory format of the net encoding 



The first two lines of the transition block contain information associated with 
the precondition, and the following two lines encode postconditions. Each bit of 
the precondition or the postcondition may be masked by a mask vector. Only 
when the mask bit is T’, the actual values of the corresponding precondition bit 
and the input event bit are compared with each other. Bits 0 and 8 of the first 
4 lines are used to encode additional indicators. The number of lines containing 
addresses of output places of a transition is encoded in line two with bits po 
and pi. They allow the transition block to be 4 to 8 bits long. If a place has 
more than one output transition, bit 8 of line 1 indicates this by setting the 
conflict hit set to T’. The subroutine bit indicates whether the transition block 
has an optional subroutine address. This address is written to the SUB output 
port upon transition firing. It may be used by another processor which may 
be optionally interfaced with the PNDU. A dummy transition is indicated by a 
dummy bit set to T’ in which case the transition block consists of one line. 
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Table 1. Scalable system parameters of the PNDU 



Address Bus 
(bits) 


Data Bus 
(bits) 


Inputs 

(bits) 


Outputs 

(bits) 


States 

(bits) 


Memory Capacity 
(transitions) 


8 


16 


7 


7 


7 


32 - 64 


16 


32 


15 


15 


15 


(8.2 - 16.4) X 10® 


32 


64 


31 


31 


31 


(0.54 - l.l)xl0'^ 



This encoding scheme has no limit on the number of output transitions per 
place (conflict construct) since conflicting transitions with their conflict hits set 
are simply listed within the place block. The priority of conflicting transitions 
is derived by their relative position within the block. There is also no limitation 
on a merge construct since it is not explicitly encoded. The number of output 
places per transition in a fork construct is restricted to 8. Since join constructs 
explicitly use state register values, the number of input places per transition is 
limited to n — 1, where n is the width of the address bus. 



place START 
transition 



00000001 


1111111000000010 


flags 0000001 


00000010 


0000000000000000 


precondition XXXXXXX 


00000011 


0000000100000001 


postcondition XXXXXXX 


00000100 


1111111000000010 


output 0000001 
subroutine 00000001 


00000101 


0000000100000110 


postplace PI 






endtransition 






endplace 






place PI 






transition 


00000110 


0000000100000001 


dummy 






endtransition 

transition 


00000111 


1111111100000100 


flags 0000010 


00001000 


0000000000000000 


precondition XXXXXXX 


00001001 


0000000000000001 


postcondition XXXXXXX 


00001010 


1111111000000100 


output 0000010 


00001011 


0000001000000000 


subroutine 00000010 






endtransition 

transition 


00001100 


1111111000000110 


flags 0000011 


00001101 


0000000000000000 


precondition XXXXXXX 


00001110 


0000000100000001 


postcondition XXXXXXX 


00001111 


1111111000000110 


output 0000011 
subroutine 00000011 


00010000 


0000001100000001 


postplace START 



endtransition 

endplace 



Fig. 7. Compiled machine code of the cePN of Fig. Q 
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A Petri Net compiler written in Perl language compiles a textual description 
of the net into the binary code. The description is intuitively derived directly 
from the cePN. Figure [ 7 | shows the correspondence between the description of 
an example Petri Net of Fig. 0 to the compiled code. 



5.2 Hardware Architecture of the Petri Net Decision Unit 

The architecture of the Petri Net Decision Unit is summarized in Figure^. The 
four main modules are: First In First Out (FIFO) buffer, Active Place Buffer 
(APB), Cache and Control. The interface to the plant is done through the parallel 
IN and OUT ports. The IN port is fed into the FIFO buffer which is responsible 
for capturing new plant events. A new event is defined as an input vector whose 
value differs from the current event value. If a new event is detected, it is latched 
into the FIFO and the Control module receives a signal that the processing can 
begin. If none of the currently enabled transitions fires, the event is invalid since 
its value does not match any of the preconditions. Such an event is overwritten 
by a subsequently arriving event and in the absence of a valid event the execution 
of the PNDU suspends. Once a new event is detected, the new processing cycle 
is promptly initiated. This type of processing reflects the event-driven nature of 
the PNDU hardware architecture. The OUT port is a register whose value is 
updated with control event outputs of firing transitions. The SUB parallel port 
may be used to interface the PNDU to other computing devices. 




Fig. 8. Block diagram of the PNDU 
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The Active Place Buffer contains slots which store and process preconditions 
of currently enabled transition. One slot is allocated for each marked or active 
place. Preconditions of enabled transitions are first stored in reg registers. A 
firing check is performed on all slots in parallel using the comparator module. 
If preconditions are true, the slot is marked as hot in the corresponding hpb 
register indicating that the transition contained in this slot will fire. The address 
register module keeps track of the addresses of active places, while the decoding 
engine is in charge of correct operation of such tasks as resolution of conflicting 
transitions. 




Fig. 9. PNDU execution algorithm 



The overall execution of the PNDU is managed by the Control module ac- 
cording to the algorithm summarized in Fig. El The /nit phase is the initialization 
stage triggered by the Reset signal. At any given time the PNDU is either in 
waiting mode Flagevent or in execution mode consisting of the Compare, Fire, 
Conflict and Update phases. Once a new event is detected, processing is initiated 
by testing preconditions stored in slots ( Compare phase) . All transitions marked 
as hot fire in sequence {Fire phase). First, postconditions and a subroutine ad- 
dress of a firing transition are read from PROM and are written to the OUT 
and SUB registers. Then, the addresses of output places are written into the 
APB module. If a place has conflicting transitions, their preconditions are read 
from PROM and tested according to the assigned priority ( Conflict phase) . At 
the end of the execution cycle, depending whether any transition has fired, some 
registers are overwritten with new information ( Update phase) . 
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Fig. 10. Circuit layout and the fabricated integrated circuit of the PNDU 



The PNDU was developed using a typical ASIC design methodology, start- 
ing with a parameterized VHDL (V ery High Speed Integrated Circuit Hardware 
Description Language) model. The depth of the FIFO, number of slots in the 
APB, and other system parameters listed in Tableware defined by a user prior 
to the circuit synthesis. The base 8-bit model was synthesized into the 0.35 /tm 
5 metal Alcatel digital CMOS technology standard cell circuit. The prototype 
has 8 slots in the APB and the depth of the FIFO is 8. The circuit containing 
approximately 7500 standard cells features a 64-word cache block which speeds 
up memory accesses by an order of magnitude. The final 8.4 mm^ circuit layout 
is shown in Fig. E3 




0 2 4 6 8 10 12 

Event Input Rate , MHz 



Fig. 11. Event response rate of the PNDU at fcik,max 
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The prototype was fabricated at the IMEC, Belgium, through the Europrac- 
tice Academic Program. Its Pin Grid Array (PGA-100, 33.5x33.5 mm) ceramic 
package is shown in Figure nni When interfaced with two 8-bit MX271000L UV 
erasable EPROM the PNDU runs at 80 MHz (limited by the EPROM access 
times) and dissipates between 100 and 120 mW of power depending on the 
event input rate. At this speed the PNDU is capable of firing transitions within 
roughly 300 ns. Figure m shows a typical event response characteristic of the 
PNDU operating at the maximum clock frequency. 

6 Conclusions 

Gontrol executable Petri Nets presented in this paper offer a convenient model- 
ing paradigm for the design of discrete event control systems. The system design 
methodology offers elegant handling of concurrency complemented by the pos- 
sibility of formal verification. It is oriented toward embedded implementations 
based on the proposed programmable event-driven controller which is optimized 
to process control specifications formulated in terms of control executable Petri 
Nets. The specifications are compiled into binary code according to an efficient 
net encoding scheme with 4 to 8 memory lines per transition. This is critical in 
embedded systems design where the code size is an important factor. The result- 
ing compact code is programmed into conventional parallel EPROM/EEPROM. 

The fabricated integrated circuit of the PNDU prototype is capable of track- 
ing eight execution threads. It processes all classes of PN directly in hardware 
and fires transitions in an event-driven fashion. Its architecture is complemented 
with an on-chip cache. This ensures that the transition firing rate improves with 
increasing concurrency. Running at 80 MHz and executing 8 concurrent processes 
it fires up to 4 million transitions per second dissipating only 120 mW of power. 

Gontinued work on precise characterization of the timing response of the con- 
troller will enable future incorporation of timing into the system design method- 
ology. This will make it feasible to apply the controller to discrete event embed- 
ded systems with stringent real-time requirements. 
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Abstract. We present a state space method for Petri nets having a time 
concept based on a global clock and associating time stamps to tokens. 
The method is based on equivalence on states and makes it possible 
to condense the usually infinite state space of such timed Petri nets 
into a finite state space without loosing analysis power. The practical 
application of the method is demonstrated on a large example of an 
audio/video protocol by means of a computer tool implementing the 
method. 



1 Introduction 

It is generally recognised that time plays an important role in many concurrent 
and distributed systems. This has motivated the development and extension of 
several modelling languages and analysis methods to support validation of timed 
systems. In the area of Petri nets m different time concepts and extensions to 
the basic formalism have been introduced, making it possible to reason about 
timed systems. Some time concepts for Petri nets focus on time aspects when 
investigating logical correctness whereas others focus on performance 

analysis 

In this paper the focus is on time when investigating the logical correctness 
of systems by means of state spaces. State spaces analysis is one of the main 
analysis methods of Petri nets. The basic idea behind state spaces is to compute 
a directed graph with nodes representing the reachable states of the system 
and arcs representing the possible state changes. We consider the time concept 
of timed Coloured Petri Nets nainiiii (CP -nets or CPNs) as introduced in 
m- The time concept of CP-nets is inspired from 03 [El and is based on the 
introduction of a global clock used to represent model time. In addition, tokens 
in a timed CP-net carry time stamps. Intuitively, the time stamp of a token 
describes the earliest model time at which the token can be consumed, i.e., be 
removed by the occurrence of a transition. The execution of a timed CP-net 
is time driven. The system remains at a given model time as long as there 
are enabled transitions. When no more transitions are enabled at the current 
model time, the global clock is incremented to the earliest next model time at 
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which transitions are enabled. Despite its simplicity, this time concept has been 
successfully applied for simulation-based performance analysis in a number of 
case studies, e.g., in the areas of high-speed interconnects jOI and ATM networks 
0. For investigating logical correctness of timed systems, the main shortcoming 
of this time concept is that it does not work well with state space methods. 
The main problem with state spaces for timed CP-nets as defined in m is 
that for reactive/cyclic systems the state space often becomes infinite. This is 
because the absolute notion of time is carried over into the state space. As a 
consequence, state space analysis of timed CP-nets so far has had to rely on 
partial state spaces, i.e., finite subsets of the full state space. An example of this 
can be found in j^j. 

The contribution of this paper is a state space method which reconciles state 
spaces and a time concept as in timed CP-nets. The idea behind the method is 
to use equivalence on the states to factor out the absolute notion of time, and to 
ignore the time stamps of tokens which are in a certain sense not important. In 
this way the usually infinite state space can be condensed into a finite state space. 
This condensed state space can be computed using a variant of the standard 
algorithm for state space construction, but without constructing the full state 
space. We show that the quotient structure obtained can be used for model 
checking using discrete time temporal logics IDE]] such as RTCTL [I^. 

Using equivalences for condensing infinite state spaces of timed CP-nets into 
finite state spaces has also been investigated in nn and ^ . It was also suggested 
as a possible solution in H3!. We give a further discussion of the relationship 
between the methods in this paper and the results in im and |21 at the end 
of this paper. The state space method presented is not tied to timed CP-nets 
and works equally well for timed Place/Transition Nets (PT-nets). Because of 
this, and in order to keep the presentation simple, we present our results in the 
context of timed PT-nets. 

The paper is organised as follows. Section [3 informally introduces timed PT- 
nets. Section 0 informally introduces our notion of equivalence and condensed 
state spaces of timed PT-nets. Section El formally defines timed PT-nets. Sec- 
tion El formally defines our notion of equivalence and condensed state spaces. 
Section El proves that our notion of equivalence is sound. Section 0 describes the 
properties preserved by our equivalence notion. Section |S| gives some numerical 
data on the performance of the method on a large case study. Finally, Sect. 0 
contains the conclusions and a further discussion of related work. The reader is 
assumed to be familiar with untimed PT-nets Ej- 



2 Timed PT-Nets 

In this section we informally introduce timed PT-nets. We formally define timed 
PT-nets in Sect. El A timed PT-net is a PT-net extended with a global clock, 
and with time stamps associated to tokens. The left-hand side of Fig. 0 shows a 
small timed PT-net modelling a mutex between two processes A and B. While 
markings of untimed PT-nets consist solely of a distribution of tokens on places, 
markings of timed PT-nets have time stamps associated to each token. In Fig. 0 
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each token (indicated by a black dot) has an associated dashed box giving the 
time stamps of the token. On the left-hand side of Fig. ^ the initial marking is 
indicated. Initially, there is one token on each of the places Aldle, Mutex, and 
Bldle. Initially, all other places contain no tokens. This models that initially both 
process A and B are idle and the mutex is unlocked. All tokens initially have 
time stamp 0. 





Fig. 1. An timed PT-net modelling a mutex between two processes. 

A state of a timed PT-net consists of a marking (i.e., a distribution of tokens 
on the places including their time stamps), and the model time (the global clock). 
We will use 0 as the initial global clock value of the mutex in Fig. ^ 

The basic idea behind the dynamic behaviour of timed PT-nets is that a 
transition will not be enabled at a given model time unless the tokens to be 
removed have time stamps which are smaller than the model time. The PT-net 
remains at a given model time as long as there are enabled transitions. When 
no more transitions are enabled at the current model time, the model time 
is incremented to the smallest time at which a transition becomes enabled. In 
addition to the weights associated to arcs in untimed PT-nets, arcs in timed PT- 
nets have associated time lists, i.e., arc labels on the form: [ri,r 2 , . . . ,r„]. The 
meaning of the inscription on output arcs is that an occurrence of the transition 
will produce n tokens with time stamps which are respectively ri, r 2 , . . . , time 
units larger than the current model time. To model that an event takes Ar time 
units, one can let the corresponding transition create time stamps for its output 
tokens which are Ar time units larger than the model time. These tokens will 
then be unavailable for Ar time units. For input arcs the meaning of the arc 
inscription is that the transition will only be enabled if there exists n tokens on 
the input place such that by adding the time stamps ri, r 2 , . . . , to the existing 
time stamps of these tokens they obtain time stamps which are greater than or 
equal to the current model time. In the example of Fig. Q the time stamps of 
all input arcs are equal to 0, i.e., the current model time must at least be equal 
to the time stamp of tokens before they can be consumed. All examples and 
informal explanations given in the rest of this paper will assume that all time 
stamps on input arcs are 0. 

As an example, the transition ALock in the initial state shown in Fig. [His 
enabled, indicated by the thicker border. The transition is enabled since the 
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tokens on places Aldle and Mutex both have a time stamp which is less than 
or equal to the initial model time which is 0. In a similar way, the transition 
Block is enabled. If the transition ALock occurs in the initial state, we obtain 
the marking shown on the right-hand side of Fig.Ql In this state no transition is 
enabled and hence the model time will be incremented to 1 at which model time 
the transition AUnlock becomes enabled. When this transition occurs we reach 
a state which is similar to the initial state shown on the left-hand side, except 
that the place Aldle now contains a token with time stamp 2, Mutex contains a 
token with time stamp 3, and the global clock has been increased to 1. 

The model time when a state is created is called the creation time of the 
state. The creation time of both states in Fig. Qis 0. The time where the next 
transition can occur is called the termination time of the state. For the state on 
the left-hand side in Fig. ^the termination time is 0. The termination time for 
the state on the right-hand side is 1, since the earlist time at which a transition 
(AUnlock) becomes enabled is 1. This means that each state exists inside a closed 
interval of time between creation- and termination time. 



3 Condensed State Spaces for Timed PT-Nets 

We now informally introduce the method for constructing condensed state spaces 
for timed PT-nets. We formally define the method in Sect. 0 The basic idea is 
to use an equivalence relation on the states to factor out the absolute notion 
of time, and to ignore the time stamps of tokens which are not important in a 
certain sense. 

Figure 0 shows the initial part of the full state space for the mutex example 
from Fig. 0 The dashed box positioned next to a node specifies the marking, 
the creation time and the termination time of the state. Node 0 corresponds to 
the initial state of the PT-net. Node 1 corresponds to the state shown on the 
right-hand side of Fig. 0 The marking corresponding to node 1 has been written 
as ARunning[l] + Bldle[0] (see node 1). This should be read as place ARunning 
containing one token with time stamp 1 and place Bldle containing one token 
with time stamp 0. The state corresponding to node 1 has creation time 0 and 
termination time 1. This is written as Time : 0-1. Each edge has an associated 
label specifying the name of the occurring transition. Since time progresses in 
each loop executed by the two processes, both the model time and the time 
stamps of tokens will get larger and larger values and thus create new states. 
Thus the full state space of the mutex example is infinite as a result of increasing 
time stamps. 

It can be noticed that time is only used to model delays. Only the relative 
differences between time stamps and model time, not the absolute values, affect 
the future behaviour. If we compare state 1 to state 7 in Fig.Elthey have identical 
token distributions and the only difference is that creation-, termination- and all 
time stamps of tokens have been increased by 3. This means that we will have the 
same possibility of future behaviour for state 1 and state 7. We generalise this to 
observing that when we reach a new state equal to a state already seen, except 
that the global clock and all time stamps of the tokens have been increased by 
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.Time : 0-0 
Aldle[0]+ 

I Mutex[0]+ 
Bldle[0] 




Fig. 2. Initial part of the full state space for the timed mutex PT-net. 



the same amount, then we will have exactly the same future behaviors from 
the new state as from the state we have already seen. This means that we can 
consider two states as being similar /equivalent, if we can obtain one from the 
other by moving both creation time and token time stamps, by the same amount, 
thereby keeping the relative distance between time stamps and the global clock. 
Moreover, we can observe that time stamps less than or equal to creation time 
are interchangeable with respect to enabling of transitions. When the time stamp 
is lower than the model time, the token can be consumed. How much lower than 
the global clock is not important. We can ignore all time stamps lower than 
the creation time of the state without affecting the future behavior. We will call 
states which are similar in the above sense for creation time equivalent. Consider 
for instance Fig. 0 The states {1, 5, 7} are creation time equivalent. As we have 
already discussed state 1 and state 7 are equivalent. State 5 and state 1 are also 
equivalent since, if we add 3 to the creation time and to all time stamps in state 
1 we get a state equal to state 5, except for the time stamp on the token on 
Bldle. Here we notice that all time stamps which are less than the creation time 
of a state can be considered as equivalent. In a similar way, states {2,6,8} are 
creation time equivalent. The states 0, 3 and 4 are only creation time equivalent 
to themselves. 

The basic idea behind condensed state spaces for timed PT-nets is to group 
such equivalent states into equivalence classes. If we group creation time equiva- 
lent states of the initial part of the full state space in Fig.|2|into such equivalence 
classes, we obtain the condensed state space shown in Fig. 0 Each node now 
represents an equivalence class of states, e.g., node 1 represents states {1,5,7} 
from Fig. 0 The labels associated with the nodes now indicate a representative 
of the corresponding equivalence class. In fact, the infinite full state space of the 
mutex example is represented by the condensed state space shown in Fig. 0 

There is yet another observation to make: there is not necessarily any transi- 
tions enabled at the creation time of a state. With creation time equivalence we 
distinguish time stamps between the creation time and the termination time of a 
state. For example, the states 3 and 4 in Fig. 0are not creation time equivalent 
because they differ on the time stamps of the tokens on places A Idle and Bldle 
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lTime:0-1 | ALock 



I Time : 1-3 ' 
lAldle[2]+ ' 
I Mutex[3]+ ' 
I Bldle[0] ' 



I Time : 0-0 
lAldle[0]+ 

I Mutex[0]+ 
lBldle[0] 




I Time : 0-1 | 

I BRunning[1]+ | 



I Time : 1-3 ' 
|Aldle[0]+ I 
I Mutex[3]+ I 
|Bld_le[3]_ J 



'Aldle[0] 



Block 



Fig. 3. Condensed state space for mutex PT-net using creation time equivalence. 

and are thus different states. However, in both cases the only significant time 
stamp is the one on the token on place Mutex. At the termination time, the 
tokens on Aldle and Bldle will in both cases have time stamps less than or equal 
to the termination time. Hence, the difference between the two states does not 
affect the future behaviour. All time stamps less than or equal to the termination 
time might as well be equal to the termination time. States which are similar in 
this sense we call termination time equivalent. If we apply the termination time 
equivalence on the mutex PT-net, we obtain the condensed state space shown in 
Fig. 0 Compared to the condensed state space in Fig. 01 also state 3 and state 
4 are now considered equivalent. 



Fig. 4. Condensed state space for mutex PT-net using termination time equivalence. 

The above shows that termination time equivalence is weaker than creation 
time equivalence, i.e., considers more states equivalent. Hence, termination time 
equivalence gives better reduction of the state space than creation time equiva- 
lence. Furthermore, the information lost when going from creation time to ter- 
mination time equivalence seems to be of little practical importance. 

4 Formal Definition of Timed PT-Nets 

In this section we formally define timed PT-nets. Except for minor notational 
differences, this section is essentially a formulation of the time concept of timed 
CP-nets from at the level of PT-nets. We include references to corresponding 
definitions even though they are not identical. Formally, the extension of untimed 
PT-nets to timed PT-nets is captured through the concept of timed multi-sets. 



I Time : 0-1 i 

I AQi inninnn 1 j. i 




[rime : 0-0 I 

Aldle[0]+ I 
Mutex[0]+ I 
|Bldle[0] I 
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Definition 1. (Def. 5.1 fHI) ^ timed multi-set tm over a set S, is a function 
tm : S' X R — >■ N such that the formal sum tm(s) = tm(s, r) is finite for all 

s € S. Stms denotes the set of all timed multi-set over S. □ 

The non-negative integer tm(s) is the number of appearances of the element 
s in the timed multi-set tm. The time list of s, tm[s] = [ri, r 2 , . . . , rtm(s)] is 
defined to contain the time values r C R for which tm(s, r) ^ 0. Each r appears 
tm(s,r) times in the list, which is sorted such that for 1 < * < 

tm(s). We usually represent a timed multi-set tm by a formal sum ^ tm[s], 

e.g., ARunning[l] -|- Bldle[0] is the timed multi-set that maps (ARunning, 1) and 
(Bldle,0) to 1, and everything else to 0. For a time list tm[s] = [ri, r 2 , . . . , rn] 
and a time value r C R, tm[s]“'"’' is the time list obtained from tm[s] by adding r 
to each element, i.e., tm[s]+’’ = [ri -|- r, r 2 -I- r, . . . , r„ -I- r] . For a timed multi-set 
tm, tm'*"’’ denotes the timed multi-set obtained by adding r to all time stamps. 

It follows from Def. Q] that each timed multi-set over S is also an ordinary 
multi-set over S' x R. This allows us to define -I-, *, and = for timed multi-sets 
over S, to be identical to the corresponding operations for ordinary multi-sets 
over S X R. Comparison (<) and subtraction (— ) could be defined in a similar 
fashion, but this is inadequate for our purposes, since then tmi < tm 2 would 
require that each element in tmi appears in tm 2 with exactly the same time 
value. This is too strict since it is only required that the time stamp of a token 
is less than or equal to the current model time for the token to be available. 

First we define comparison and subtraction of time lists. In the following we 
assume that a = [ai, 02 , . . . , am] and h = [ 61 , 62 ; ■ ■ • i ^n] are two ascending time 
lists over R. We define a < 6 iff m < n and a^ > for all f = 1, . . . , to. This 
means that if we increase the time values in a time list we get a smaller time list. 
When a < b, b — a is defined to be the time list of length n — m obtained from b 
as follows: traverse the time list a from starting with oi and remove for each 
the largest element still in b which is smaller than or equal to a^. As an example, 
consider a = [4, 4, 5] and b = [2, 3, 4, 5, 8 ]. Clearly, a <b and b — a = [2, 8 ]. 

Having defined comparison and subtraction of time lists we now define the 
corresponding operations on timed multi-sets. Intuitively, comparison is point- 
wise time list comparison, while subtraction is pointwise time list subtraction. 

Definition 2. (Def. 5.2 ^3) all tmi, tm 2 S 5'tmSj comparison is defined 
by: tmi < tm 2 = 'is £ S : tmi[s] < tm 2 [sj. When tmi < tm 2 , subtraction is 
defined by: tm 2 — tmi = X]sgS ® (t™ 2 [sj — tmi[s]). □ 

We define a timed PT-net as a PT-net together with a set of time values and 
a start time. Usually arcs of PT-nets are defined by a weight function W : 
P X TUT X P — >■ N, with pre and post mappings given implicitly by stating that 
pre(t) consists of those places p for which W{p,t) 7 ^ 0 while post(t) consists 
of those places p for which W(t,p) 7 ^ 0 0. We choose to define timed PT- 
nets directly by the pre and post mappings since the introduction of time lists 
associated with arcs would complicate the definition of the weight function. 

Definition 3. (Def. 5.3 [E| ) A timed PT-net is a tuple (PTN,ro) where 
PTN = (P, T, pre, post. Too) satisfies that P is a set of places, T is a set 
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of transitions such that P D T = 0 , pre, post : T — >■ Ptms mappings 
from transitions to timed multi-sets over places, and toq £ Ptms is the initial 
marking, rg gM. is the start time. □ 

Throughout this paper we assume, without loss of generality, that the start time 
is 0, i.e., vq = 0. Moreover, we will assume that all time stamps in timed multi- 
sets specified by pre and post are greater than or equal to 0. This assumption 
simplifies the presentation and is of little practical importance since negative 
time stamps are seldom used in practice for modelling of systems. The results in 
the paper can however be generalised to handle also negative time stamps. The 
relationship between the pre and post mappings and the graphical representa- 
tion of timed PT-nets is as follows. There is an arc leading from a place p to a 
transition t labelled with the time list [ri, . . . , r„] iff pre(t)[p] = [ri, r 2 , . . . , r„]. 
Similarly, there is an arc leading from a transition t to a place p labelled with 
the time list [ri,r 2 , ... ,r„] iff post(t)[p] = [ri,r 2 , . . . ,r„]. We formally define 
markings and states as follows. 

Definition 4 . (Def. 5.4 ,S] 1 A marking of a timed PT-net is a timed multi-set 

over places. A state is a pair (m, r) where m G Ttms is a marking and r gM. is 
the creation time. The initial state sq is the pair {rriQ^° ,ro) . M denotes the 
set of all markings. S denotes the set of all states. □ 

We extend our notation from markings to states in a straightforward man- 
ner, i.e., = (m+’', ro -I- r). On the left-hand side of Fig. Ql the ini- 

tial marking is indicated corresponding to the timed multi-set mo = A Idle [0] -I- 
Mutex [0] -\- Bldle [0]. The informal explanation of the semantics of timed PT-nets 
given earlier is formalised in the following definition. 

Definition 5 . (Defs. 5.5 and 5.6 [THj l A transition t is enabled in a state 
(mi,ri) at time V2 = ri -\- d iff pre(t)+’'^ < mi and d > 0 and there ex- 
ists no other pair (t' , d') S T x R with d' < d satisfying this. This is writ- 
ten {mi,ri)[t, d) . When a transition t is enabled in state (mi,ri) at time r2 
it may occur, changing the state (mi,ri) to the state (m2,T2), where m2 = 
(mi — pre(t)+’' 2 ) -|- post(t)+’’= . This is written (mi,ri)[t,d)(m2,r2). We say 
that r 2 is the termination time of state (mi,ri). □ 

To illustrate the definition above, consider the initial state (mo,0) shown on 
the left-hand side of Fig. ^ The transition ALock is enabled at time 0, since 
pre(ALock)+° = Aldle [0] -I- Mutex [0] < mo = Aldle [0] -f Mutex [0] -I- Bldle [0], and 
0 is the smallest model time satisfying this. If ALock occurs in (mo,0) it leads 
to the marking: 

(mo — pre(ALock)^°) -L post(ALock)''"° = ARunning [1] -|- Bldle [0] 

at time 0. At model time 0, no more transitions are enabled and the model time 
is increased to 1 at which model time the transition AUnlock is enabled since: 



pre(AUnlock)’'"^ = ARunning [1] < ARunning [1] + Bldle [0]. 



Condensed State Spaces for Timed Petri Nets 



109 



An occurrence of transition AUnlock leads to the marking: Aldle [2] + 
Mutex [3] + Bldle [0] at time 1. 

In contrast to the usual definition of timed CP-nets in H3! , we associate 
a delay with enabling and occurrence rather than an absolute time value, i.e., 
we write {mi,ri)[t,d) and (jni,ri)[t,d)(rn 2 ,r 2 ) rather than (mi, r 2 ) and 
(mi,ri)[t, ?’ 2 )(m 2 ,r 2 ). The d in the definition above is redundant, since it can 
be calculated from the time values ri and r 2 . We have chosen to associate the 
delay between creation times to the occurring transitions since this simplifies the 
presentation of the results in Sect. 0 

An occurrence sequence of a timed PT-net is a sequence consisting of states 
Si = {rrii, ri), and pairs consisting of a transition and a time value {U, di) denoted 
di)s2 ■ • ■ Sn-i[tn-i,dn-i)sn and Satisfying Si[ti, di)si+i for i = 1 . . . , n - 1. 
A state s' is reachable from a state s iff there exists an occurrence sequence 
leading from s to s' . [s) denotes the set of all states reachable from a state s. 
[so) denotes the set of reachable states. 

5 Formal Definition of Condensed State Spaces 

In this section we formally define condensed state spaces and termination time 
equivalence for timed PT-nets. Full state spaces for timed PT-nets can be defined 
as for ordinary untimed PT-nets, except that the nodes now represent states 
instead of markings. 

Definition 6. The full state space of a timed PT-net is the directed graph 
iy, E) where V = [sq) o,nd E = {{s, (t,d), s') G V x (T x K) x P | s[t, d)s'} . □ 

Each node in the full state space corresponds to a reachable state of the PT- 
net and each edge corresponds to an occurring transition. An edge (s, {t,d),s') 
between two nodes s and s' means that the transition t is enabled in state s at 
a model time which is d time units higher than the creation time of s, i.e., d 
is the difference between the creation time and the termination time of s. The 
occurrence of the transition at this model time leads to state s' . 

The equivalence relations which will serve as a basis for obtaining the con- 
densed state space will constitute a so-called equivalence specification. 

Definition 7. An equivalence specification for a timed PT-net is an equiv- 
alence relation « on §. §~ denotes the set of all equivalence classes for «. For 
a state s G S, [s]~ € S~ denotes the equivalence class of pe containing s. □ 

When the relation Ri is known from the context, we write [s] instead of [s]~. 
The definition of equivalence specifications can be generalised by including an 
equivalence relation on pairs of transitions and time values, i.e., the edges in the 
state space. This more general definition is the usual definition of equivalence 
specifications as given in m However, to specify termination time equivalence 
we do not need this more general form. 

In order to do verification based on condensed state spaces, we require that 
the equivalence specification has the property that equivalent states are known 
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to have similar behavioural properties. This is captured by the concept of con- 
sistency of equivalence specifications. 

Definition 8. An equivalence relation « is consistent iff the following condi- 
tion holds for all states si, G S, (t, d) G T x R, and S 2 G 

si[t,d)s'i 3s2 G : S2[t,d)s2 □ 

The consistency requirement ensures that equivalent states have identical sets 
of pairs of enabled transitions and delays, and equivalents sets of immediate 
successor states. Condensed state spaces for timed PT-nets is defined as follows. 

Definition 9. Let ^ he a consistent equivalence specification. The condensed 
state space is the directed graph (V, E), where V = {C'G S^ICn [sq) 0 } and 
E={{Ci,{t,d),C 2 ) G S« X (T X R) X §« |3(s,s') G Ci x C 2 : s[t,d)s'}. □ 

The condensed state space has a node for each equivalence class containing a 
reachable state. The condensed state space has an edge between two nodes iff 
there is a state in the equivalence class of the source node in which a transition 
is enabled, and whose occurrence leads to a state in the equivalence class of the 
destination node. 

We now formalise termination time equivalence. We define the operation 
[— ]r on timed multi-sets to be the operation that sets all time stamps less than 
or equal to r to r. For any non-dead state s G S, let m(s) be the time value 
d G R for which there exists t £ T such that s[t, d). For a dead state s G S (i.e., 
a state in which creation time cannot be increased to enable some transition) we 
define m(s) = 0, i.e., for a dead state, termination time will be equal to creation 
time. We extend our notation from timed multi sets [— ]r to states such that 
for a state s = {m,r) we write \{m,r)~\r> as a shorthand for r) and we 

will use the notation [s] to denote |"s]r+m(s). Termination time equivalence is 
formally defined as follows. 

Definition 10. Two states si and S 2 G S are termination time equivalent, 

written si «tt S 2 , iff there exists r G R such that: |"si] = [S 2 I ^ 

Informally, the definition above states that two states are termination time equiv- 
alent, if we are able to move all time values by r in one state and obtain the 
other when considering all time values less than or equal to termination time to 
be equal. It is rather straightforward to check that termination time equivalence 
is indeed an equivalence relation. 

The condensed state space method is usually implemented by representing 
each equivalence class by a representative state for the class. Construction of the 
condensed state space then follows the same procedure as the construction of the 
full state space with one exception. Whenever a new state is to be inserted into 
the condensed state space it is checked whether an equivalent state is already 
included in the condensed state space. To be able to implement the equivalence 
check efficiently, we will select a canonical representative, i.e., a unique represen- 
tative for each equivalence class. The check then amounts to transforming the 
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new state into this unique representative for the equivalence class and then check 
(using ordinary equality) whether the resulting state has already been included 
in the condensed state space. The canonical representative for an equivalence 
class under termination time equivalence will be the unique state with creation 
time zero and with all time stamps of tokens between creation time and termi- 
nation time set to termination time, i.e., for a state s = (m,r) the canonical 
representative s is given by s = |"s] It is rather straightforward to check that 
this does indeed yield canonical representatives, i.e., for two states si = (mi, ri), 
S2 = (to 2,?'2): iff Si ~TT 32- The overhead incurred from the 

above computation of a canonical representative is rather small. The algorithm 
for construction of condensed state spaces has to find the termination time as 
part of computing the enabled transitions in a given state. Subtraction of cre- 
ation time and ceiling of time stamps to termination time can be implemented 
in linear time in the number of tokens of m. 

We conclude this section by a result concerning finiteness of condensed state 
spaces. For a finite PT-net we denote by TV = {tvi,tv2, ■ ■ ■ ,tvn} the set of 
time values appearing as time stamps on tokens in the initial marking, in time 
lists on input and output arcs of transitions, and as start time. A timed PT- 
net is bounded iff there exists a k > 0 such that for all places p and reachable 
states s = (m,r) we have that \m{p)\ < k. We will prove that the condensed 
state space of a finite bounded timed PT-net is finite if TV C Q. Before we 
prove this results we will need two propositions. Proposition Q states that only 
finitely many rational numbers in a bounded interval can be expressed as linear 
combinations of a finite set of rational numbers. 

Proposition 1 . (Lemma 4 Pj) Let qi,q2, ■ ■ ■ Qk G Q and A,B G K. The set 
Qab = {q = ni*q^ \ A<q< B Ani,n2,... ,Uk Gl} is finite. □ 

For a finite timed PT-nets, the largest time value is defined by maxTv = 
max{tv G TV}. For a state s we denote by TS{s) the set of time stamps of 
tokens in s, and maxTs(s) = maxjfs G TS{s)} denotes the largest time stamp 
in s. Proposition Estates that the creation time and the time stamps of tokens in 
any reachable state can be written as a linear combination of the time values of 
the PT-net, and it gives a bound on the time stamps of tokens and termination 
time relative to the creation time of a reachable state. The proposition follows 
by induction and from the enabling and occurrence rule of finite timed PT-nets. 

Proposition 2 . Let s = (m,r) G [sq) then the following holds: 

1. There exists rii, ri2, G Ng : r = 

2. 'its G TS{s) 3 ni, ri2, . . . G Ng : ts = 

3. 0 < maxrs(s) < r + maxTv 

4. Lf s[(t, d)) then 0<r + d<r + max^y □ 



Theorem 1 . The eondensed state spaee obtained using termination time equiv- 
alence is finite for all finite and bounded timed PT-nets with TV C Q. □ 



112 



S. Christensen, L.M. Kristensen, and T. Mailund 



Proof. First we prove that the number of equivalence classes of states containing 
a reachable state is finite. This is done by proving that only finitely many canon- 
ical representatives for such equivalence classes exists. Let s = {m,r) G [ sq ). 
It follows from Prop. El ( 3 ) that maxTs(s) < r -|- max^y. Since the PT-net 
is bounded and finite, there is only a finite number of ways to distribute to- 
kens on the places. We complete the proof by showing that the tokens can only 
have a finite number of time stamps. The canonical representative for s is given 
by s = be., by setting time stamps less than or equal to termination 

time to termination time and subtract r from all resulting time stamps. If s 
is a dead state, then termination time is equal to creation time in which case 
maxTs(s) = maxTs(s) — r < max^y. If s is non-dead state then by Prop. El ( 4 ) 
we have r -I- c? < r + max^y. Hence, max7’5(s) = max(r -|- d, maxrs(s)) — r < 
r -|- maxyy — r = max^y. Hence, in both cases 0 < maxT’s(s) < max^y. It fol- 
lows from Prop. E| (l)-( 2 ) that all time stamps in s can be written on the form 
Sr=i where rii G Z. The tokens in s can therefore only have a finite 

number of time stamps by Prop. [D The number of arcs of the condensed state 
space is bounded since the number of nodes is bounded and since only a finite 
number of transitions is enabled in a state. □ 

6 Consistency of Termination Time Equivalence 

In this section we prove the consistency of termination time equivalence. Con- 
sistency is the basic result which ensures that condensed state spaces obtained 
using termination time equivalence can be used for verification. To prove the 
consistency of termination time equivalence, we first give a proposition stating 
a number of basic properties of the timed multi-set operations (adding r 

to all time stamps) and [— ]r (setting all time stamps less that r to r). 

Proposition 3 . The operations (— )~''’^ and [— ]i. are distributive in the sense 
that for tmi, tm2 G .S'tms the following holds: 

1 . (tmi -|- tm2)"'''^ = tm^'"’' -|- tm^*^ and (tmi — tm2)~''’^ = tm)^’" — tm^*" 

2 . [tmi -I- tm2],, = |"tmi]r -I- |"tm2]r ~ tm2]^ = [tmi]j. — [^ 2 ]^. Q 

Below we give two lemmas which states two fundamental properties about the 
relationship between time stamps, enabling, and occurrence. Lemma H below 
states that the absolute time values (but not the relative time values) can be 
moved without affecting enabling. Hence, enabling and occurrence does not de- 
pend on the absolute value of creation time and time stamps. 

Lemma 1 . Let Si,S2 G S be two states. The following holds for all r G M. : 

si[t,d)s2<^ {si+^)[t,d){s2+^). □ 

Proof. We first prove the => direction. Let si = (mi,ri), r G R, and assume 
Si[t, d). By the definition of enabling, d > 0 is the minimal time value such 
that < mi. By adding r on both sides of the inequality, d is still 

the minimal time value such that < mi+’'. Hence, si+’'[t, d). 

Now, let S2 = (m2,r2) be the result of the occurrence of (t, d) in (mi,ri), i.e.. 
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m2 = (mi — and T2 = r\ + d. From Prop. 0(1) 

it now follows that: 1112'^^ = — pre(t)+*^’'i+'^+’'^) + post(t)+*^’'i+'^+’'^ which 

is exactly the result of the occurrence of (t, d) in (m^’’,ri + r) = s^’’. Hence, 
(si+’')[t, d)(s2''’’^)- The <= direction follows from the above by setting si = Si+’’, 
S2 = S2~^^, r = — r, and exploiting that for all states s: (s+’") = s. □ 

Lemma El below states that time values less that or equal to the termination 
time do not affect enabling. Hence, enabling and occurrence are independent of 
tokens with time stamps less than or equal to termination time. 

Lemma 2. Let si = {mi,ri), S2 G S be two states. The following holds: 
Si\tjd')S 2 ri+tz) [f j d) ( [”52] n +d) ■ C 

Proof. We first prove the direction. Assume that si[t,d). By the definition 
of enabling, d > 0 is the minimal time value such that pre(t)~'’^’'^~'’'^^ < mi. 
By applying the [— ]n+d operation on the right hand side of the inequal- 
ity, d is still the minimal time value such that < |’mi]n+d- 

Hence, (|’si]r.j+d)[t, d). Now, let S2 = (m2,r2) be the result of the occur- 
rence of (t,d) in (mi,ri), i.e., m2 = (mi — pre(t)+(’'i+'^^) -|- post(t)+^’'i+'^^ and 
r2 = Ti + d. From Prop. 0 (2) it now follows that: |’m2]n+d = \'mi\ri+d — 
-I- |"post(f)~'’^’'^''’'^^] Since all time stamps in pre and 
post are positive by assumption, then = pre(t)~'’^’'^~'’'^^ 

and ri+d = Hence \m2'\ri+d is exactly the 

result of the occurrence of (t,d) in {\mi\r^+d,'ri) = |"si]n-i-d and therefore 
(|’si]n-i-d)[i, d)(|’s2ln-i-d)- The <J= direction is similar. □ 

Theorem 2. The equivalence relation ~tt is consistent for timed PT-nets. □ 

Proof. Let si = (mi,ri), S2 = (m2,r2) S S be two states. Assume si[f,d)s'i and 
that Si RiTT S2, i.e., 3r G R such that: (|’si]n-i-d)'''’^ = \s2^r2+d and V2 = ri + r. 
Now, si[t, d)s[ 

^ (rsi](ri+d)) [Ld) (|"si](^i+d)) (LemmaEI) 

^ ((rsil(ri+d))"^’’)[Ld)([s'i](ri+d))^’’ (LemmalU) 

^ {\s2](r2+d)) [Ld) f(rsil(n-Kd))"^’') (since ([si] = [s2l(^,+d)) 

(r2-|-d)) [L d) ^[si ]r2-|-c!^ (sinCe ( [Sll (r-i-l-d)) = T'^l li'2+d) 

=> S2[t, d)(s'i'''’^) (LemmaEI) 

Since s'l^’" ~tt Si this proves that TT is consistent. □ 

7 Properties Preserved 

We now turn to the properties preserved by termination time equivalence. To 
this end we consider quantitative temporal logics (see a survey), and in- 

troduce a discrete real-time temporal logic called RTCTL*. RTCTL* is obtained 
from CTL* 0 by the addition of time-bounded operators. This is done in the 
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same way as the temporal logic RTCTL was obtained from CTL in El . It should 
be stressed that our aim here is not to suggest RTCTL* as a temporal logic for 
verification of timed PT-net. It is merely a tool to show which properties are 
preserved of the system when using condensed state spaces and termination time 
equivalence. One can then use a subset of RTCTL* such as RTCTL HH which 
have efficient model checking algorithms, or use specially tailored algorithms for 
the concrete verification question at hand. What is important is that if the ver- 
ification question can be expressed in RTCTL*, then the results in this section 
ensure that the answer to the verification question is preserved by the conden- 
sation, independently of which algorithm is then used to actually compute the 
answer. Since all standard dynamic properties of PT-nets can be expressed in 
RTCTL*, it immediately follows from this section that all these properties are 
preserved by termination time equivalence. 

First we briefly define the syntax and semantics of RTCTL* in the context 
of timed PT-nets. There are two types of formulas in RTCTL*: state formulas 
(which are true/false in a specific state) and path formulas (which are true/false 
along a specific path/occurrence sequence). Let II he a, set of atomic state propo- 
sitions, i.e., functions from S to {True, False}. State formulas are defined as: 

• 7T if 7T S il; 

• if (j), (fi, and 4>2 are state formulas, then —icj) and (j)i V 4>2 are state formulas; 

• if ^ is a path formula, then E"0 is a state formula. 

Path formulas are defined as: 

• if (/) is a state formula, then PF(^) is a path formula; 

• if tp, tpi, and tp 2 are path formulas, then -i'0 , 'i/^i V '02 > X0, and </>i U 02 are 
path formulas; 

• if 01, and 02 are path formulas and r G R, then 0i U-’' 02 is a path formula. 

RTCTL* is the set of state formulas generated by the above rules. The difference 
compared to CTL* is the addition of the time-bounded until operator U-''. For 
technical reasons related to the later proofs, we define explicitly the PF operator 
for converting state formulas into path formulas. 

The semantics of RTCTL* is defined with respect to structures of the form 
M = {V, E, £n), where P is a set of states, E C V x {T xW) x V is the transition 
relation, and £n : P — >■ 2^ is the proposition labelling function, which assigns 
to each s G V the set £n{s) C 77 of atomic state propositions that hold in s. 
The transition relation E is required to be total, i.e., each state has at least 
one successor state. Except for the requirement on the transition relation being 
total, it is straighforward to see that the full state space (from now on denoted 
S) and the condensed state space (from now on denoted 5) of a timed PT-net 
each determine a structure on the form A4 = (P, E, £n)- To make the transition 
relation total, we add for each dead state s the triple (s, (f^, 1), s) to E for some 
transition td ^ T. This can be interpreted as when the system enters a dead 
state it remains in this state forever. This is well-defined also for the condensed 
state space, since either none or all states in an equivalence class are dead states. 

A path in is a sequence of states and pairs of transitions and time values: 
cr = si(ti, (7i)s2(t2, ^ 2 ) 53 , . . . such that, for all i > 1\ (s^, (0, (70, s^+i) G E. cr* 
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denotes the suffix of cr starting in Si. We use the standard notation M,s \= (j) to 
mean that the state formula </> holds at s in the structure A4. Similarly, A4,a \= (j) 
means that the path formula 4> holds along the path a in Ai. The \= relation is 
inductively defined below. cj>, (pi, and p2 are state formulas whereas ip, ip\, and 
ip2 are path formulas. 

• M, S 1= 7T 7T G £n(s) 

• Jti,s \= -Ip A4,s p 

• M,s \= piV p2 ^ M, s \= pi or M,s |= p2 

• M.,s\= E'f/j there exists a path cr starting in s such that M.,a \= p 

• M,a ^ PF((/)) for the first state s of cr : M,s |= p. 

• M, a \= M,a ^ p 

• M,a \= piV p2 M,a ^ pi or M, a \= p2 

• A4, a Xp ^ A4,a^ \= p 

• M,(J 1= pi\)p2 ^ for cr = Si(ti, di)s2(t2) ^2)53, ■ ■ ■ , there exists fc > 1 such 
that M,(t^ h '02 and for all 1 < j <k \ M, \= pi 

• M,a 1= piU-^p2 ^ for cr = si(ti, di)s2(t2, ^2)33, . . . , there exists fc > 1 
such that Al, cr^ ^ ■!/i2, for all 1 < j < fc : M, ^ pi, and J2i=i di<r 

We will usually leave the model M. out of the relation and simply write s ^ tt 
or cr 1= '0 when the model is clear from the context. For a state s G 5, we denote 
by s the representative chosen to represent [s] in S. 

Lemma 3. There is a bidirectional correspondence between paths in the full 
state spaces S and paths in the condensed state space S. 

1. If a = Si(ti,di)s2{t2,d2)s3, . . . is a path in S, then we have that a = 
Si{ti,di)s2{t2,d2)s3, . . . isapathofS. 

2. If a = Si{ti,di)s2{t2,d2)sz, ■ ■ ■ , isapathofS, then for every state s'l si 

in B there exists a path a' = s'lfti, c?i)s2(t2) <^2)53, • ■ • , inS such that s' Si 

for all i > 1. 

Proof. The lemma follows from successive application of the consistency require- 
ment for Rig and is similar to the proofs of Prop. 2.4 and Prop. 3.6 in in]. □ 

From the above lemma it follows that for a path cr in S, we can talk about 
the corresponding path a in S, and for a path d in 5 we can talk about a 
corresponding path a in S. In order to be able to use the condensed state space 
for model checking, we require that all the atomic state propositions n £ II are 
such that for all equivalence classes [s] we have: Si,S2 G [s] ’’"(si) = 7 t(s 2), 

i.e., the truth value wrt. to atomic state propositions is the same for all states in 
an equivalence class. In practice this means that the atomic state propositions 
may refer to the number of tokens on places, but cannot refer to time stamps of 
tokens nor to the creation time of the state. From now on we assume that the 
set of atomic state propositions satisfies this property. 

Theorem 3. Let p be a state formula and p a path formula of RTCTL*. Let a = 
Si{ti,di)s2(t2, (^2)53, • ■ • be a path in S, and let a = s~i(ti, di)s~2(t2, d2)(.^3), ■ ■ ■ 
be the corresponding path in S. Then the following holds: 

S,si ^ 0 iS, Si \= p and S,a\=p-^S,a\=p 



□ 
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Proof. We prove the theorem by structural induction on state and path formulas. 
The base case is ^ = tt S 77. In this case the theorem follows from the assumption 
on 77 which ensures that s |= tt s |= tt. For the induction step, the proof is split 
in a number of cases. Cases (j) = and (/> = (/>i V ^2 are straightforward (both 
in the case of state formulas and path formulas). We consider the remaining 
cases below. 

(j) = E'i/i : Assume that s \= (j). Then there is a path cr starting in s such that 
a \= if. By Lemma 0 there is a corresponding path a € S starting in s. By 
the induction hypothesis: a \= if a \= ip. Hence, s ^ Eif. The reverse 
direction is similar. 

if = PF((/)) : Assume that a \= if . Then, si \= cf. By the induction hypothesis 
Si ^ (f, and hence a ^ PF{<f). The reverse direction is similar. 
if = Xifi : Assume that a \= Xifi. Then ^ ifi and since a and a correspond 
so do cr^ and By the induction hypothesis: (t^ \= ifi. Hence, a ^ ifi. 
if = ifi0-^if2 : Assume that a\=if. Then > 1 such that ^ ip 2 , for all 
1 < j < k : \= ifi, and J2i=i Since a and a correspond so do 

and for all j and therefore by the induction hypothesis: ^ ip 2 

and ^ ifi for all 1 < j < k. Moreover, since delays are preserved along 
corresponding paths, then a \= if . 

if = ifi\Jif 2 ■ This case is similar to if = ifiU-'^if 2 . □ 

We proved earlier in Thm. El that termination time equivalence is consistent. 
Hence, we have the following corollary of the above theorem. 

Corollary 1. Let PTN be a timed PT-net with a full state spaee S and letSjj be 
the condensed state space for PTN obtained using termination time equivalence. 
For all state formulas (f of RTCTL* and all states s : S,s \= (f 5tt, s \= (f. 
For all paths formulas if of RTCTL*, paths a in S, and corresponding paths a 
in Stt- S , O’ \= if Sjj, d'\=if. □ 



8 A Case Study 

We have implemented the state space method presented in the previous sections 
on top of the state space tool of Design/CPN The prototype implements 
termination time equivalence for CP-nets. In this section we apply this prototype 
implementation on a larger CPN model. The CPN model is taken from the 
industrial case study |S| in which timed CP-nets and the Design/CPN tool 
were used to validate vital parts of the Bang&Olufsen BeoLink system. 

The BeoLink system makes it possible to distribute audio and video through- 
out a home via a dedicated network. The state space analysis in |S| focused on 
the lock management protocol of the BeoLink system. This protocol is used to 
grant devices exclusive access to various services in the system. Timed CP-nets 
were applied in since timing is crucial for the correctness of the lock man- 
agement protocol. The exclusive access is implemented based on the notion of 
a key. A device is required to possess the key in order to access services. When 
the system boots no key exists, and the lock management protocol is (among 
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other things) responsible for ensuring that a key is generated when the system 
starts. The lock management protocol is also responsible for ensuring that a 
key is generated in case it is lost during the operation of the system. It is the 
obligation of the so-called video and/or audio master device to ensure that new 
keys are generated when needed. The three main correctness criteria of the lock 
management protocol is listed below. 

Eventual key generation. When the system is booted, a key is eventually 
generated. The key is to be generated within approximately 2.0 seconds. 
This property can be expressed as the RTCTL* formula: AF^TTkey, where 
TTkey is an atomic state proposition which is true iff a key is present in the 
system, and = “’£(->( True U-’’/))) 

Mutual exclusion. At any time during the operation of the system at most 
one key exists. This property can be expressed as the RTCTL* formula 
AG TToi-key, where Troi-key is an atomic state proposition which is true iff 
there is zero or one key in the system, and AG(f> = ->£( True U-i^) 
Persistent key access. Any given device always has the possibility of ob- 
taining the key. This property can be expressed as the RTCTL* formula 
/\j AGEFTTi-haskey, where 7Ti_haskey IS an atomic state proposition which is true 
iff the device i has the key, and EFc/ = E( True U/f). 

Since all three properties can be expressed in RTCTL* it follows from Sect. 0 
that they are preserved by termination time equivalence. In 0 the eventual key 
generation was verified using partial state spaces, where successors were not 
generated for those nodes in which a key existed. Using this partial state space 
it was possible to show that the lock management protocol ensures that a key is 
generated in the initialisation phase of the system, i.e., when the system boots. 
The two other properties were not verified in 0 , since the full state space of the 
CRN model of the BeoLink system is infinite. Below we show that with the new 
state space method for timed CP-nets presented in this paper, we are now able 
to verify all three properties of the system. In addition to the termination time 
equivalence we also apply the symmetry method of CP-nets m as implemented 
in the Design / CPN tool to alleviate the state explosion problem. The symmetry 
in the BeoLink is based on the observation that the devices which are neither the 
video nor the audio master are identical, i.e., their identity is interchangeable. All 
results in this section were obtained using a HP Unix Workstation with 1 Gbyte 
of memory. 

Table 0 gives some statistics for the state spaces of the full BeoLink system 
for different configurations. The Gonfig column specifies the configuration in 
question. Configurations with one video master is written on the form VM:n, 
where n is the total number of devices in the system. Configurations with one 
audio master is written on the form AM:n. The TT columns give the size of 
the condensed state space (nodes and arcs) when applying termination time 
equivalence, and the CPU time it took to generate the condensed state space. 
CPU time is written on the form hh : mm : ss where hh is hours, mm is minutes 
and ss is seconds. The TT-FSYMM column give the corresponding numbers for 
a combined use of termination time equivalence and symmetry. For VM:4 and 
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Table 1. Experimental results - Full BeoLink system. 



Config 


Nodes 


TT 

Arcs 


Time 


TT-tSYMM 
Nodes Arcs 


Time 


VM : 2 


274 


310 


0:00:02 


274 


310 


0:00:02 


AM : 2 


346 


399 


0:00:03 


346 


399 


0:00:03 


VM : 3 


10,713 


14,917 


0:01:34 


5,420 


7,562 


0:00:47 


AM : 3 


27,246 


37,625 


0:04:10 


13,647 


18,872 


0:02:10 


VM : 4 


3,557,441 


7,351,877 


- 


593,209 


866,085 


7:10:21 


AM : 4 


12,422,637 25,059,384 


- 


2,070,796 3,064,778 


25:51:57 



AM:4 the state space was not actually generated, but the size (i.e., number of 
nodes and arcs) was calculated from the corresponding condensed state spaces 
by calculating the size of the equivalence classes represented by the nodes and 
arcs. The TT column shows that termination time equivalence results in a finite 
state space, but that the size of the state space grows rapidly with the number 
of devices. Hence, the main virtue of termination time equivalence is that it 
results in a finite state space. Column TT+SYMM shows that termination time 
equivalence and the symmetry method combine very well. For an example, for 3 
devices the reduction in terms of states is 49%, and the generation time is reduced 
by 48% for the AM:3 configuration, and by 50% for the VM;3 configuration. 



9 Conclusions 

We have presented a state space method for timed Petri nets. The method uses 
an equivalence relation on states to obtain a condensed state space which satisfy 
exactly the same RTCTL* formulas as the full state space. We have developed 
tool support for this state space method and made some initial experiments on 
a CPN model taken from an industrial case study. The condensed state space 
makes it possible to analyse a class of systems which could previously only be 
partially analysed. The main benefit of the approach is that it makes it possible 
to condense an infinite state space into a finite state space. In order to alleviate 
the state explosion problem, termination time equivalence needs to be combined 
with other state space reduction methods, such as the symmetry method. 

Condensed state space methods for timed Petri nets based on aggregating 
states into equivalence classes have also been investigate in inj and |2| . The time 
concept of Interval Timed Coloured Petri Nets (ITCPNs) considered in jI2| is 
similar to the time concept considered in this paper in that time stamps are as- 
sociated with tokens. Moreover, time stamps of tokens in ITCPNs are increasing 
since the time concept of ITCPNs also introduces a global clock. The differ- 
ence between the time concept of ITCPNs and the time concept considered in 
this paper is that time delays in iniE! can be continuous intervals. The Mod- 
ified Transition System Reduction Technique (MTSRT) used in m to obtain 
a condensed state space, groups states into equivalence classes to recover from 
states of an ITCPN having an infinite number of successors states due to the 
infinite number of time values in the continuous interval specifying time delays. 
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The condensed state spaces of ca may however still be infinite due to increas- 
ing time stamps. Hence, the condensed state spaces based on termination time 
equivalence in this paper and the condensed state spaces of HH focus on two 
different sources for the state space to become infinite. 

The results in m for ITCPNs were later extended in |5j, developing the no- 
tion of equivalence presented in ini to be both sound as well as complete. The 
original equivalence in na was sound but not complete, i.e., the condensed state 
space could contain the set of reachable states of the ITCPN as a proper subset. 
The notion of equivalence presented in 0 ensures that the condensed state space 
represent exactly the set of reachable states of the ITCPN. In addition to this, |5] 
introduced a notion of equivalence between states which can factor out the global 
clock of ITCPNs. This equivalence notion is similar to the creation time equiva- 
lence which was presented in Sect. |3 as an intermediate step towards termination 
time equivalence. Termination time equivalence is therefore a strictly weaker no- 
tion of equivalence than the equivalence presented in ^j, and hence allows for 
better condensation of the state space. On the other hand, the condensed state 
space in our paper only considers discrete intervals, whereas the method pre- 
sented in 0 can deal with continuous intervals. It remains to be investigated 
whether the idea of termination time equivalence presented in this paper can 
be applied to ITCPNs. Another difference between the results presented in 0 
and the results presented in this paper is that for termination time equivalence 
a canonical form for states can be computed efficiently. In 0 no canonical form 
is given for the computation of canonical representatives of equivalence classes 
of states. Having a canonical form which can be computed efficiently is of great 
importance for the practical use and implementation of the method. 

The time concept considered in 0 and ini is on the other hand more ad- 
vanced/powerful than the discrete time concept considered in this paper. How- 
ever, there exists many interesting systems where the appropriate level of ab- 
straction can be modelled (and meaningful analysis results obtained) using dis- 
crete time. The lock management protocol of the Bang&Olufsen BeoLink 
system used as a case study in this paper is a good example of this. 

References 

1. R. Alur and T. Henzinger. Logics and Models of Real Time: A Survey. In Real- 
Time: Theory in Praetice, volume 600 of Lecture Notes in Computer Science, pages 
74-106. Springer- Verlag, 1991. 

2. G. Berthelot. Occurrence Graphs for Interval Timed Coloured Nets. In Proceedings 
of ICATPN’94, volume 815 of Lecture Notes in Computer Science, pages 79-98. 
Springer Verlag, 1994. 

3. B. Berthomieu and M. Diaz. Modelling and Verification of Time Dependent 
Systems using Time Petri Nets. IEEE Transaetions on Software Engineering, 
17(3):259-273, March 1991. 

4. S. Christensen, J. B. Jprgensen, and L. M. Kristensen. Design/CPN - A Computer 
Tool for Coloured Petri Nets. In E. Brinksma, editor. Proceedings of TACAS’97, 
volume 1217 of Lecture Notes in Computer Science, pages 209-223. Springer- 
Verlag, 1997. 



120 



S. Christensen, L.M. Kristensen, and T. Mailund 



5. S. Christensen and J.B. j0rgensen. Analysis of Bang and Olufsen’s BeoLink Au- 
dio/Video System Using Coloured Petri Nets. In P. Azema and G. Balbo, editors, 
Proceedings of ICATPN’97, volume 1248 of Leeture Notes in Computer Science, 
pages 387-406. Springer- Verlag, 1997. 

6. G. Ciardo, L. Cherkasova, V. Kotov, and T. Rokicki. Modeling a Scaleable High- 
Speed Interconnect with Stochastic Petri Nets. In Proceeding of PNPM’95, pages 
83-93. IEEE Computer Society Press, 1995. 

7. E.M. Clarke, E.A. Emerson, and A.P. Sistla. Automatic Verification of Finite State 
Concurrent Systems using Temporal Logic. ACM Transactions on Programming 
Languages and Systems, 8(2):244-263, 1986. 

8. H. Clausen and P. R. Jensen. Validation and Performance Analysis of Network 
Algorithms by Coloured Petri Nets. In Proceedings of PNPM’93, pages 280-289. 
IEEE Computer Society Press, 1993. 

9. J. Desel and W. Reisig. Place/Transition Petri Nets. In Lecture on Petri Nets I: 
Basic Models, volume 1491 of Leeture Notes in Computer Science, pages 122-173. 
Springer- Verlag, 1998. 

10. E. A. Emerson. Temporal and Modal Logic, volume B of Handbook of Theoretical 
Computer Science, chapter 16, pages 995-1072. Elsevier, 1990. 

11. E. A. Emerson, A.K. Mok, A.P Sistla, and J. Srinivasan. Quantitative Temporal 
Reasoning. In Proceedings of CAV’90, volume 531 of Lecture Notes in Computer 
Science, pages 136-145. Springer- Verlag, 1990. 

12. K. Jensen. Coloured Petri Nets. Basic Concepts, Analysis Methods and Practical 
Use. Volume 1, Basic Concepts. Monographs in Theoretical Computer Science. 
Springer- Verlag, 1992. 

13. K. Jensen. Coloured Petri Nets. Basic Concepts, Analysis Methods and Practical 
Use. Volume 2, Analysis Methods. Monographs in Theoretical Computer Science. 
Springer- Verlag, 1994. 

14. L. M. Kristensen, S. Christensen, and K. Jensen. The Practitioner’s Guide to 
Coloured Petri Nets. Lnternational Journal on Software Tools for Technology 
Transfer, 2(2):98-132, December 1998. 

15. M. A. Marsan, G. Balbo, G. Conte, S. Donatelli, and G. Franceschinis. Modelling 
with Generalized Stochastic Petri Nets. Series in Parallel Computing. Wiley, 1995. 

16. T. Murata. Petri Nets: Properties, Analysis and Application. In Proceedings of 
the IEEE, Vol. 77, No. f. IEEE Computer Society, 1989. 

17. W. M. P. van der Aalst. Interval Timed Coloured Petri Nets and their Analysis. 
In Proceedings of ICATPN’93, volume 691 of Lecture Notes in Computer Science, 
pages 453-472. Springer Verlag, 1993. 

18. K. M. van Hee, L. J. Somers, and M. Voorhoeve. Executeable Specifications for 
Distributed Information Systems. In Proeeedings of IFIP TC8/WG 8.1 Work- 
ing Conference on Information Systsm Concepts, pages 139-156. Elsevier Science 
Publishers, 1989. 




Unfolding of Products of Symmetrical Petri Nets 



Jean-Michel Couvreur^, Sebastien Grivet^, and Denis Poitrenaud^ 



^ LaBRI, Universite de Bordeaux I, Talence, France 
{couvreur , grivet}@labri .u-bordeaux . fr 
^ LIP6, Universite Pierre et Marie Curie, Paris, France 
Denis .Poitrenaud@lip6 . f r 



Abstract. This paper presents a general technique for the modular con- 
struction of complete prefixes adapted to systems composed of Petri nets. 
This construction is based on a definition of a well-adapted order allow- 
ing combination. Moreover, the proposed technique takes into account 
the symmetries of the system to minimize the size of the produced com- 
plete prefixes. Finally, the technique has been instantiated in an efficient 
algorithm for systems combining finite state machines and fc-bounded 
queues with k a priori known or not. 



1 Introduction 

Unfoldings of Petri nets have been originally studied from a theoretical point of 
view by Nielsen (ca) and Engelfriet (0). Since a decade, they are intensively 
used in the context of verification. All these methods are based on a structure 
introduced in which is a prefix of the maximal unfolding of a system, suffi- 
ciently large enough to cover all the reachable states of the system. Such a prefix 
is said to be complete. We can distinguish two kinds of works in this area. The 
first one consists in the definition of efficient algorithms for the construction of 
complete prefixes. The papers m are significant examples of such optimiza- 
tions. The second type of research is the design of verification techniques based 
on complete prefixes l [tbl,'fl2lti] l. 

In this paper, we focus our attention on the efficiency of the construction 
algorithm. Our starting point is the works presented in m and [7]. Langerak 
and Brinksma have proposed an order over the processes composing a system 
which allows to minimize the size of the complete prefix. Indeed, such an order 
is used to detect the points from which the construction can be stopped. The 
one presented in GDI, is defined for systems consisting of synchronization of 
finite state machines. Esparza and Romer, in Pj, have proposed a very efficient 
algorithm based on this order and taken benefit of the particular structure of 
the components of the system. 

The present paper generalizes these works in two directions. First, we want to 
deal with systems communicating by rendez-vous but also by message passing. 
Is the order presented in m suitable for this kind of systems? Can we define 
some more efficient order specific to queues? Second, we want to generalize the 
method to components other than finite state machines and, if possible, to deal 
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with general Petri nets. The solution that we propose for the communication by 
message passing is based on considering the symmetries induced by the chosen 
model of queues. This allows us to minimize the size of the constructed complete 
prefixes. To deal with components defined by Petri nets, we show that the key 
point of an efficient implementation is the way in which the components are syn- 
chronized. We define a constraint on the synchronization under which a modular 
computation of complete prefixes is then possible. 

The main results presented in this paper are the following: 

— The definition of a new suitable order for the computation of complete pre- 
fixes allowing the combination of orders in new ones. 

— The consideration of symmetries in the unfolding technique to minimize the 
size of the complete prefixes. 

— The definition of a modular computation of prefixes. 

— The design of an efficient implementation for systems composed of finite 
state machines and queues. 

First, we recall the theoretical background of unfolding. In the corresponding 
section, the new order is presented over processes. Then, symmetries are intro- 
duced in the unfolding technique and are illustrated through different models of 
queues. In Section 2] the unfolding of systems composed by the synchronization 
of Petri nets is studied and the constraint concerning the synchronization and its 
effects is illustrated. It follows a section dedicated to the implementation for sys- 
tems composed by finite state machines and queues. Some concluding remarks 
and perspectives close the paper. 

2 Preliminaries 

After recalling the basic definitions related to Petri nets, this section is dedicated 
to the theoretical context of the unfolding method. Many of the definitions are 
adapted from the works of Engelfriet 0 and of Esparza 0. 

2.1 Petri Nets 

Definition 1. A (Petri) net is a tuple {P,T,F), where P is a set of places, 
T is a set of transitions, P and T are disjoint, F C (P x T) U (T x P) and 
\/t € T,3p € P : (p, t) € F. The preset of a node n € PUT, denoted by *n, is 
the set of nodes {n' \ (n', n) G E}. The postset of a node n € P U T, denoted by 
n* , is the set of nodes {n' \ {n,n') G F}. 

Here, a net is possibly infinite. The main natural restriction is of finite syn- 
chronization, i.e. for every transition t, *t and t* are finite sets, and moreover, 
we assume to be nonempty. 

Definition 2. A marking of a net N = (P,T,F) is a multiset on P. A marked 
net (NjUIq) is a net with an associated initial marking niQ. 
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Definition 3. The firing rule of net N = (P, T, F) is defined as follows. Let m 
and m! he two markings of N and t be a transition. Then iff*tQm and 

m' = m — *t + t* . A marking m is reachable from a marking mg if there exists a 
firing sequence t\ - ■ -tn such that The set of markings 

reachable from toq is denoted by Reach{N,mg). 

In this paper, we deal with systems constructed from a set of components 
which are synchronised on events having a common label. Hence, we introduce 
the notion of labelled nets. 

Definition 4. A labelled net is a tuple {P,T, F, A, X) , where (P,T,F) is a net, 
A is an alphabet (of actions) and X : T ^ A is a labelling. 

Unfoldings are defined by way of homomorphisms from nets to nets (see ^). 
Intuitively, a homomorphism h from net Ni to net N2 formalizes the fact that 
Ni can be obtained by partially unfold a part of N2. Firing sequences of different 
nets can be related through homomorphisms. 

Definition 5. Let Ni = (Pi, Pi, Pi), N2 = {P2,T2, F2) be two nets. A homo- 
morphism from Ni to N2 is a mapping h : Pi U Pi — >■ P2 U P2 such that: 

— h{Pi) C P2 and h{Ti) C T2, 

— Vti G Pi : hi{*ti) = *h{ti) and hi{t\*) = /i(ti)* 

where hi : ]N^2UT2 is the linear extension of h. If Ni and N2 have 

initial markings mi and m2 then we require that hi{mi) = m2. Moreover, if 
Ni = (Pi, Pi, Pi, H, Ai) and N2 = (P 2 , P 2 , P 2 , H, A 2 ) are labelled nets on the 
same alphabet A then Ai(ti) = X2{h{ti)) for all t\ G Pi. 

Proposition 1. Let Ni = (Pi, Pi, Pi), N2 = {P2,T2, F2) be two nets. Let h be a 
homomorphism from Ni to N2. If mo-^mi • • • m„_i^^m is a firing sequence 
in Ni then hi{mgf^.^^hi{mi) ■ ■ ■ hi(mn-i)^-^^ hi{m) is a firing sequence in N2. 

2.2 Branching Processes 

In this subsection, the partial order semantics of a net is defined as a particular 
net called its maximal branching process. Intuitively, a branching process for- 
malizes a set of behaviors of the net and its structure allows to determine the 
causality of the events as well as the conflicts and the concurrency. 

Definition 6. Let N = (P,T,F) be a net and let u,v G PUT. The precedence 
relation <, conflict relation jj, and concurrent relation || are defined by: 

— u < V iff {u, v) belongs to the reflexive transitive closure of F, 

— u'iv iff 3 ti,t 2 GT : ti t2, *ti n *t2 yf 0, and t\ <u Xt2 <v, 

— u\\ v iff neither u < v nor v < u nor u^v). 

Branching processes belong to the subclass of Petri nets called occurrence 
nets. 
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Definition 7 . An occurrence net is a net ON = {B,E,F) where B and E are 
called conditions and events, and 

— WbG B 

— F is acyclic (i.e. the relation < is a partial order), 

— ON is finitely preceded: 'iu & B A E \\ {v & B \J E \ v < u} is finite, 

— no event is in self-eonflict: \/e € E : 

Moreover, if |&*| < 1 for all b G B then N is called a causal net. An occurrence 
net has an implicit associated initial marking Min(ON) = {b G B \ *b — i)}. 

A branching process is simply an occurrence net associated to a homomor- 
phism. 

Definition 8 . A branching process of net N is a pair [3 = {ON, h) such that 

— ON = (B,E,F) is an occurrence net, 

— h : ON N is a homomorphism, 

— Vei,e2 G E, if*e\ = *C2 and h{ei) = h{e2) then e\ = e^- 

A branching process P of a net N has a corresponding initial marking in N , 
Minpf(P) = hi{Min{ON)). For a branehing proeess of a marked net {N,mo), 
we require that MiriN{P) = mo- Moreover, if ON is a causal net, then P is called 
a process of N. 

Homomorphisms are used to characterize the prefixes of a branching process 
as well as isomorphism of branching processes. 

Definition 9 . Let Pi = (ONi,hi), P2 = (OA^2>^2) be two branching processes 
of a marked net {N, mo). A homomorphism g from Pi to P2 is a homomorphism 
from ONi to ON2 which fulfils hi = h2 o g. Moreover, 

— Pi is a prefix of P2 (denoted by Pi Q P2) iff there exists an injective homo- 
morphism g from Pi to P2 such that g{Min{ONi)) = Min{ON2), 

— Pi and P2 are isomorphic ( denoted by Pi = P2) iff Pi Q P2 P2 Q Pi- 

Based on the fact that C forms a partial order on the branching processes of 
a net (up to isomorphism) and is a complete lattice (see 0), the existence of a 
unique maximal branching process is ensured. 

Theorem 1 . Let {N, mp) be a marked net. There exists a unique maximal 
branehing proeess P{N) of{N,mp) (up to isomorphism). 

For convenience, we will used the following notations: P = (ON{P),h{P)) 
and ON{P) = (B{P),E{P),F{P)) to denote the different components of a 
branching process /3 of a net N{P), Min{P) = Min{ON{P)) and MiuNiP) = 
h{P){Min{P)) are the initial markings of /3 in /3 and in N{P). 
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2.3 Processes 

The most important notion regarding occurence nets is that of a configuration. 
A configuration represents a possible partial run of the net. 

Definition 10. A configuration C of a branching process j 3 is a set of events 
satisfying the two following properties: 

— C is causally left-closed: Vei, 62 € E(/ 3 ) : ci G C A 62 < ei 62 G C, 

— C is conflict-free: Vei,e2 G C : ~'(eijle2). 

If U is a conflict-free set of events and conditions of ( 3 , the set [U] = {e G 
E{fl) \ 3 u € U : e < u} is a configuration. A finite configuration has an as- 
sociated terminal marking in fl and in N{fl): Cut{C) = {Min{fl) U C*) \ *C 
and Cutpf{C) = h{( 3 ){Cut{C)) . Moreover, if [3 is a process, then E(fl) is a con- 
figuration, Cut{j 3 ) = Cut{E{j 3 )) and CutNifl) = CutN{E{! 3 )) are its terminal 
markings in f 3 and N (/?) . 

Configurations and processes that are prefixes of a same branching process 
are closely related. 

Proposition 2. Let it be a process, prefix of a branching process j 3 . Let g be 
an injective homomorphism from tt to ( 3 . Then g{E{Tr)) is a configuration of / 3 . 
Moreover, if C is a configuration of a branching process f 3 then there exists a 
unique process (up to isomorphism) , prefix of ( 3 , denoted by n{C), such that there 
exists an injective homomorphism g from n{C) to fl satisfying C = g{E{II{C))). 

An important operation for the construction and the proofs is the concate- 
nation. 

Proposition 3. Let tti be a finite process, and tt 2 be a processes of a net N 
such that C't6tAr(7Ti) = MinN{T^2)- Then there exist at least one process tt^, two 
injective homomorphisms g\ : tti ^ tts and 32 : f tts such that 

- gi{E{ni) U B{tti)) U g2{E{'K2) U B{-K2)) = E{ttz) U B{Trfl), 

- 9i{E{tTi)) n 32(A(7T2)) = 0, 

- 9 i{B{-Ki))r[g 2 {B{-K 2 )) = 9i{Cut{-Ki)) = g2{Min{'K2)), 

— gi{Min{iTi)) = Min^ir^) and 92{Cut{iT2)) = Cut{'Kfl). 

Such a process tts is called a concatenation of tti and tt 2. The set of concatena- 
tions of TT I and 7T2 are denoted by tti • 7T2. 

2.4 Finite Complete Prefixes 

We are now in the position to define the characteristics of finite prefixes which 
are the basis of the verification technique. 

Definition 11. A branching process j 3 of a marked net {N,mo) is a finite 
complete prefix iff (3 is finite (i.e. the set B{fl) U E{fl) is finite) and for any 
reachable marking m of {N,mo), there exists a process tt such that tt C /? and 

CutN{Tr) = TO. 
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For the construction of such prefixes, some events are identified as points 
from which it is not necessary to extend the branching process. These particular 
events are called cutoffs and have to ensure the stability (all the firings are 
represented) and the completeness (all the reachable markings are represented) 
of the construction. 

Definition 12. Let (3 he a branching process of a marked net {N^mo). Let 
Cutoff be a set of events of (3. The couple (/3, Cutoff) is a stable branching 
process iff (3 is finite and for every process tt of (N, mo) one of the two following 
properties holds: 

-3C G Conf{(3) : C n Cutoff = 0 A TT(C') = tt, 

— 3e G Cutoff : il([e]) C tt. 

where Conf{f3) denotes the set of configurations of (3. 

An internal configuration C is a configuration of j3 which contains no event 
of Cutoff (CC\ Cutoff — A marking m of N is an internal marking of (3 if m 
is the cut of an internal configuration C (m = Cut]s[{C)). The sets of internal 
configurations and internal markings are respectively denoted by Confj(P) and 
Reachi{j3). 

Now, we make precise the characteristics of the cutoffs. 

Definition 13. An unfolding of a marked net {N,mQ) is a tuple (/3, Cutoff ,<T) 
where {f3, Cutoff) is a stable branching process and is a mapping from Cutoff 
to Confi{(3) such that Ve G Cutoff : Cut]sr{^{e)) = CutN{[e\). 

We define the notion of well-adapted order over processes. These orders allow 
us to build finite complete prefixes. The definition of well-adapted order reduces 
that of adequate order used by Esparza and al. 0 to allow the design a new 
well-adapted order from the combination of other ones. Notice that well-adapted 
orders are defined over processes and not over configurations of a given branching 
process as in jS]. 

Definition 14. A partial order ^ over finite processes of a marked net {N, toq) 
is a well-adapted order if: 

— < is well-founded and refines C, 

— ^ is a pre-total order: for all processes tti,tt 2 of (N,mo): tti ^ 7T2 V 7T2 ^ 
7Ti V 7Ti 7T2 where tti tt 2 iff for all processes tt.- tti ^ tt O 7T2 ^ tt and 
7T ^ 7Tl 7T ^ 7T2, 

— :< is compatible with concatenation: for all processes tti,tt 2 of {N,mo) such 
that Cut]\[{7Ti) = Cut]\f(TT 2 ), the following two properties hold: 

1. 7Ti ^ 7T2 => for all process tts of (A^, C'utAr(7ri)), Vttis G tti • 7r3,V7r23 G 

7T2 • 7T3 : 7Ti3 ^ 7T23. 

2. 7Ti 7T2 for all process tt^ of (iV, Cutiv(7>‘i)), V7 Ti3 G tt\ ■ 7r3,V7r23 G 

7T2 • 7T3 : 7Ti3 7T23. 
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One can remark that the McMillan’s order <mc El is well-adapted. Let 
us recall that for two processes tti and tt2 of a marked net {N, mo) such that 
CutN{TTi) = CutN{iT 2 ), 7Ti -<Mc 7T2 holds iff |if(7ri)| < |if(7r2)|. Moreover, the or- 
der proposed by Esparza and al. in jS| for safe Petri nets is also well-adapted. We 
are now in the position to complete our characterisation of the cutoffs composing 
an unfolding. 

Definition 15 . An unfolding {( 3 , Cutoff ,<P) of a marked net (N,mo) is well- 
adapted iff there exists a well-adapted order ^ such that'ie € Cutoff : II(<P{e)) -< 
7T([e]). 



Proposition 4 . If {P, Cutoff is a well-adapted unfolding of a marked net 
(N,mo) then P is a finite complete prefix. Moreover Reachi{P) = Reach{N,mo). 
If the set Reach{N ,mo) is finite and if for each marking in Reach{N,mo), the 
number of firable transitions is finite then {N,mo) has at least one well-adapted 
unfolding. 

Proof. One can apply Esparza and al. in |Bj for adequate order. Indeed well- 
adapted order is adequate order, and then Reachj(P) = Reach{N,mo). Because 
well-adapted order refine inclusion, the existence of a well-adapted unfolding is 
ensured in the finite case. □ 

We have claimed that the particularity of well-adapted orders is their capability 
to be combined into new a well-adapted order. This proposition is formalized 
here. 

Definition 16 . Let Pi,p2 two orders over a set. The order lex{p:i,p^2) is 

defined by x lex{<i,<2) TJ iff x y V {x y /\ x p,2 y)- Let 

be orders over a set, lex{p,i, . . . ,p,n) is defined inductively as lex {-<i, lex {<2 



Proposition 5 . Let ^1,^2 be two well-adapted orders over finite processes of 
a marked net {N,m(f). The order lex{p^\,<2) is well-adapted. 

Proof. The proof is simple and tedious. One has just to check that Zex(^i, ^ 2 ) 
is a pre-order and fullfils the well-adapted conditions. □ 

As an example of the construction of a well-adapted order from others, one 
may define through the number \'k\^ of events labelled by a given transition 
t appearing in a process tt: tt -<t tt' iff |7 t|j < 

Suppose that one fixes an arbitrary total order over the transitions of a net 
(T = {ti, . . . ,tn}). Hence, the order lex{-<Mc, Piti, • ■ ■ , ^t„) is a well-adapted or- 
der. Applying this new order on the examples presented in |B|, the combinatorial 
explosion problem appearing with ^mc is corrected. 
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3 Unfoldings of Symmetrical Petri Nets 

In this section, we introduce the symmetrical Petri nets and show how one can 
take benefit of the symmetries to reduce the complete prefix of this kind of net. 
As our main goal is to analyse systems communicating by message passing, we 
will discuss the different modelling of queues and their consequences for the 
constructed prefixes. 



3.1 Symmetrical Petri Nets 

Symmetries are defined by the way of a group of mappings on the elements of 
the net. 

Definition 17. A symmetrical net is defined by a couple {N,G) where 

— N is a labelled net, 

— G is a group of automorphisms of N (i.e. a group of bijective homomorphisms 
from N to N). 

A marked symmetrical net is a tuple {N,G,mo) where mo is a marking of N. 

From this definition, the notion of equivalent markings is introduced. This 
notion has been already used for the construction of reduced reachability graphs 
which are the basis of verification methods for qualitative properties j0| as well 
as for quantitative ones Q- 

Definition 18. Let {N, G) be a symmetrical net. Two markings m and m' of 
N are equivalent (denoted by m = m' ) iffBgGG such that gi{m) = m' . For a 
marking m of N, we denote by fh the set of markings equivalent to m. For a set 
of markings M , we denote by M the set {rh \ 3m' € M : m = m'}. 

The introduction of queues in Petri nets leads to a strict extension of the 
ordinary (i.e. finite) model. Indeed, one has to deal with the order and the value 
of the tokens entered in the queue and consequently with its size. When the 
maximal size of the queue is known a priori, it is possible to represent it by a 
finite Petri net. On the contrary, the modelling of a queue for which the maximal 
size is unknown leads to an infinite Petri net. We will study these two cases. 

Fig.Q gives a first attempt of modelling a finite queue. The queue can receive 
two types of messages (a and b) and its maximal size is n. The transitions sx 
correspond to the entering of a message x G {a, b} where the firing of a transition 
rx indicates that a message x leaves the queue. Each position z S [l,n] of the 
queue is modelled by a set of places {Mai, Mbi, Fi} where the two first places 
indicate the presence of a message and the last one the emptiness of the position. 
Obviously, for any i, these three places are in mutual exclusion. When a message 
is enqueued, it is stored in the first position. Then, the message has to cross all 
the positions before being dequeued. The main disadvantage of this model is 
that it does not allow to identify two states where the queue contains the same 
messages in the same order but in different positions, and the symmetries cannot 
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Ma , Ma ^ Ma ^ 





Fig. 1. A first modelling of a finite FIFO 



A 




Fig. 2. A Petri net using a FIFO (size 2) of Fig. 0 and its complete prefix 



help us in this task. Moreover, the internal transitions txi (with x G {a, b} and 
i G [l,n — 1]) lead to the production of numerous intermediary states. 

A complete prefix of the net of Fig. | 2 | using this modelling of a queue and il- 
lustrating this situation is given in Fig.|21 The queue used in Fig. His represented 
by a doubly bordered circle and the surrounding transitions sa, sb, ra and rb 
representing sending and receiving of messages have to be synchronized with the 
corresponding transitions of the queue model. One can remark that for a queue 
of size n, the complete prefix of the net is constituted of ^(n -I- l)(n -I- 2) -|- 1 
events where the number of reachable states of the system is 2(n -I- 1). 

A second modelling of a queue is presented in Fig. 0 It is based on a circular 
array and uses two counters In and Out. The value of In (resp. Out) indicates 
the position in the array where the following arriving (resp. departing) message 
must be stored (resp. taken). With this modelling, the intermediary states of the 
first solution are discarded. This is illustrated by the complete prefix of the net 
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Fig. 3. A second modelling of a finite FIFO 



of Fig. Q presented in Fig.0 We can remark that the number of events is then 
linear in the size of the queue. However, this modelling can also introduce some 
more states. Indeed, two states of the queue which only differ by the values of the 
counters In and Out will be considered as distinct. Fortunately, the symmetries 
of the net can be helpful to avoid this situation as we will see in the next section 
by considering equivalent markings for the cutoff rule. 



B A F, B F„ A 




Fig. 4. A complete prefix of net of Fig. fusing a FIFO (size 2) of Fig.0 



3.2 Finite Complete Prefixes of Symmetrical Petri Nets 

A branching process of a symmetrical net is simply defined as a branching process 
of the underlying net. 
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Definition 19. A branching process of a marked symmetrical net {N, G, mo) is 
a branching process of (N,mo). 

The symmetries allow us to relax the condition on the representation of all 
the markings for the completeness. 

Definition 20. A branching process j3 of a marked symmetrieal net {N, G, mo) 
is a finite complete prefix iff (3 is finite (i.e. the set B{(3) U E{(3) is finite) and 
for any reaehable marking m, there exists a proeess tt such that tt G /3 and 
C'MtAr(Tr) = m. 

Similarly, the condition on the cutoffs can also be relaxed. 

Definition 21. An unfolding of a marked symmetrical net {N,G,mo) is a tuple 
{(3, Cutoff ,<P) where {(3, Cutoff) is stable branching process and is a mapping 
from Cutoff to Ccmfi{f3) which fulfils Ve S Cutoff : C'utjv(<?(e)) = Cutjv([e]). 

The partial orders used for the construction have to be reviewed under the 
angle of symmetries. We first define how a new process can be constructed from 
an automorphism. 

Definition 22. Let tt = {CN, h) be a proeess of a marked symmetrieal net 
{N,G,mo). Let g be an automorphism of G. We define g{Tr) as the process 
(CN,goh). 

Definition 23. A partial order ^ on finite processes of a marked symmetrical 
net {N, G, mo) is a well-adapted order if: 

— ^ is well-founded, 

— ^ refines C, 

— < is a pre-total order, 

— < is compatible with the concatenation:^!: 1 , 1:2 processes of(N,G,mo) such 
that 3g S G , g{Cutjs[{T^i)) = Cutiq{T: 2 ): 

1. 7Ti ^ 7T2 => Vtts process of {N ,CutN { t^'i )) 23 S 7T2 • 5(7r3),V7ri3 S tti • 
7J"3 : 7’"13 ^ T^23- 

2. 7Ti 7T2 ^ Vtts process of {N,Cutf^{T:i)),'iT:i 3 S tti • 7r3,V7T23 S 7T2 • 

■ 7Ti3 '^ 23 - 

We can remark that the order ^mc is well-adapted for any symmetrical Petri 
net. Indeed, the identity of the event is not taken into account for this order. 
On the contrary, the order (defined at the end of Sect. EJ is not necessary 
well-adapted. The number of events labelled by any transition equivalent to t 
has to be taken into account. For a given transition t of a symmetrical Petri 
net (N,G,mo), let us denote with |7r|^the number of events e of tt such that 
3g G G, g{h{T:){e)) = t. Thus, the order defined by n iff k^lpis 

well-adapted. 

Definition 24. An unfolding {(3, Cutoff ,L>) of a marked symmetrieal net 
{N, G, mo) is well-adapted iff there exists a well-adapted order ^ such that 
Ve e Cutoff : 7T(<?(e)) ^ 77([e]). 
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Proposition 6. If (/3, Cutoff ,I>) is a well-adapted unfolding of a marked sym- 
metrical net (TV, G, mo) then [3 is a finite complete prefix. Moreover, Reachj(P) = 
Reach{N,mo). If the set Reach{N,mo) is finite and for any marking in 
Reach{N,mo), the number of firable transitions is finite then {N,G,mo) has 
at least one well-adapted unfolding. 

Proof. This proof is almost the same as the proof of Propositional The proof of 
”/3 is a finite complete prefix” just used the well-founded property and the first 
assertion of the compatibility property of the well-adapted order. The existence 
of a well-adapted unfolding is also deduced from the fact that ^ refines C. □ 

The following proposition claims that the combination of well-adapted orders 
remains possible for symmetrical Petri nets. 

Proposition 7. Let ^ 1,^2 be two well-adapted orders on finite processes of a 
marked symmetrical net {N,G,mo). The order lex{^i,^ 2 ) is well-adapted. 

Proof. This proof is almost the same as the proof of Proposition 0 □ 

The modelling of a priori unbounded queues is similar to that of finite ones. 
It is based on the use of an infinite array and two counters In and Out. This 
modelling is presented in Fig. 0 and allows to analyze systems for which the 
maximal size of the queue is unknown a priori. 




Fig. 5. A modelling of a finite unknown bound FIFO 



Fig. 0 shows an example of a system using a finite unknown bound queue and 
its complete prefix. It is important to notice that the analysis of the complete 
prefix allows us to determine that the effective bound of the queue for this system 
is three. 



4 Unfoldings of Products of Symmetrical Petri Nets 

Considering a system as a set of inter-operating components has been the starting 
point of numerous optimisations of verification methods. Here, we present the 
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sb rb 



Fig. 6. A net using a finite unknown bound FIFO of Fig. and its complete prefix 



theoretical background which allows the design of a construction algorithm of the 
complete prefix of a system by the analysis of the unfoldings of its components. 
We first present the model that we consider, and then study its unfoldings. 

4.1 Products of Petri Nets 

We focus our attention on Petri nets synchronized on actions. Combined with 
queues, the model can handle systems communicating by message passing as 
well as rendez-vous. 

Definition 25. Let Ni, . . . , Nn be labelled nets, where Ni = {Pi,Ti, Fi, Ai, Xi) 
(we assume for convenience that the sets Pi are pairwise disjoint as well as the 
sets Ti). The product N = {P,T, F, A, X) of the Ni is the labelled net defined as 
follows: 

- T — {t G Oi {^}) I (a G Ai A t[i] G Ti A Ai(t[z]) — 

a) V (a ^ Ai A t[i] = e)} 

- \/t G T,\/i,\/p G Pi : (p,t) G F (resp. (t,p) G F) iff {p,t[i]) G Fi (resp. 
{t[i],p) G Fi) 

- 

— 'it GT, X{f) = Ai(t[i]) where i is any i G [1, n] : t[i] e 

Moreover if the Ni have mi as initial markings then N has toq = mi as 
initial marking. We denote by ^iNi (resp. ^^{Ni,mi) ) the product of the nets 
Ni (resp. marked nets {Ni,mi)). 

We restrict the model to systems for which the rendez-vous mechanism is 
not confusing. More precisely, we impose that when a service is asked for by a 
component from another then there is no more than one candidate in the server. 
A component having this property is said to be non-reentrant. 
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Definition 26. Let N = {P, T, F, A, A, mo) be a labelled marked net. A label a 
in A is non-reentrant in N iff'im € Reach{N,mQ),\/t,t' S T,X{t) = X{t') = 
a => ^ be a product. The product N has 

non-reentrant synchronization ijf Va € A(N),\/i, j, {i ^ j A a € Ai D Aj) 
a is non-reentrant in Ni. For convenience such a product is said to be a non- 
reentrant product. 

Fig. 0 presents a set {A^i,iV 2 } of labelled nets and their product (on the 
right). One can remark that this product has non-reentrant synchronization. On 
the contrary, if one does not distinguish x and y then the synchronisation is not 
non-reentrant any more. We will see in the following that the reentrant model 
causes problems for the modular view of the unfolding. 





Fig. 7. A product having a non-reentrant synchronization 



When the queues presented in Fig. 0 and 0 are considered as components of 
a product net, the transitions sxi and rxi are respectively labelled by sx and 
rx. These two nets are non-reentrant due to the counters In and Out. 

4.2 Branching Processes of a Product of Petri Nets 

From this point of the paper and in the following, we consider a set of marked 
labelled nets (W,mi), 1 < i < n and their product net (N, mo) = ®i{Ni,rm). 
We denote for all i by = {{Bi, Ei, Fi),hi) the maximal branching process 
of {Ni,mi) and by /3 = {{B,E,F),h) any branching process of (N, mo). One 
can consider a branching process j3i as a labelled net (the labelling function is 
Xi o hi). Thus, the product /3i is well defined. Notice that this product is 
not necessarily an unfolding. However, it is used as an intermediary structure to 
define a labelling function which connects the elements of (3 to those of the (3i. 
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Proposition 8. Let (3 be a hranehing proeess of the product {N, mo) = 
. Then there exists a homomorphism T from j3 to ^^(3i such that: 

- V& e B,yi : <T{b) h{b) = hi{T{b)) 

— Ve G -EjVi : ifT{e)[i] G Ei then h{e)[i] = hi(W{e)[i]) else h{e)[i] = e 

Proof. We first set the values of the mapping E for the initial conditions 
of 13. Applying the definition of a branching process: mg = h{Min{f3)) = 
J2ihi{Min{Pi)). This proves that there exists a bijection 9 between the sets 
Min{(3) and \J-{Min{j3i)) such that V5 G Min{(3),'ii : 6{b) G Bi ^ h{b) = 
hi{9{b)). We set V6 G Min{P) : E{b) = 9{b). 

We define the value of the mapping E for any event e and its output conditions 
inductively on the size of its local configuration [e] such that the two requirements 
of the proposition and the homomorphism requirements hold for any event and 
any condition already defined. Let Mg be the marking in (3 obtained by firing 
all the events less than e. By induction the mapping W is already defined for any 
condition in Mg, and hence 'E{Me) is a reachable marking in Pi. If h{e)\i] = e, 
we set 'T{e)[i] = e. If h{e)[i] ^ e, T{*e) (iBi is included in <I'{Me), and hence is a 
nonempty set of concurrent conditions in Pi such that hi{'I'{*e) (iBi) = *h{e)[i]. 
We set T{e)[i] = with a G Ei such that hi^ep = h{e)[i] and *Ci = 'T{*e) 13 Bi. 
Because the partial markings h(e*) fl W and hpeP) are equal, one can set the 
mapping E for any condition b in e* with h(b) G Ni. This concludes the inductive 
construction of E, and thus concludes the proof. □ 

Fig. 0 illustrates the mapping on the product net of Fig. 0 On the left, 
the maximal branching processes of the components are shown. The maximal 
branching process of the product is presented on the right of the figure and 
for each element is given the image of E. Moreover, the projection on each 
component of the local configuration [e] is given as a tuple for each event e. 




Fig. 8. Branching processes of a non-reentrant product and its components 



The mapping \T is used to characterize the behavior of each component from 
a behavior of the product. Moreover, the property of non-reentrance ensures that 
this characterization is unique. 
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Proposition 9 . Let j 3 be a branching process of the product (TV, mo). Let C be 
a configuration of p. Let = {'L{e)[i] | e € C A L'{e)[i] ^ e}. The set C[i] 

is a configuration of Pi and T{Cut{C)) = [j^Cut{C[i]). Moreover, if {N,mo) 
is non-reentrant then the mapping which associates to each configuration C the 
tuple (^[ 1 ], . . . , C[n]) is injective. 

Proof. We first prove that C[i] is a configuration of Pt. Let u be a firing sequence 
in P containing all the events of C. Because !?' is a homomorphism, 'T{a) is a 
firing sequence in (g)- Pi. The projection dr{a)[i] of 'f'(cr) is a firing sequence of Pi 
which contains exactly the events of C\i]. This proves that C\i] is a configuration 
of Pi. The fact that 'T{Cut{C)) = \J^Cut{C[i]) is immediate. 

We prove the second part of the proposition by contradiction. We will use in 
advance Proposition cni Let C and C be two distinct configurations such that 
C\i] = C'\i] for any branching process Pi. Thus, there exist a branching process 
Pi and two distinct events e € C, e' € C with 'T{e)[i\ = T{e')[i] e. Applying 
Proposition E 3 C'UC" is also a configuration. If cr is a firing sequence associated 
to C U C , the projection W{a)\i] is a firing sequence on Pi which contains the 
event T'{e)\i] at least twice. Because Pi is a branching process, this is impossible. 

□ 

Fig.i illustrates the confusing identification induced by a product having a 
reentrant synchronization. The two events (e, 2:3) have the same tuple of compo- 
nent configurations whereas their local configurations are obviously different. 




Fig. 9. Branching processes of a reentrant product and its components 



One important property to construct a complete prefix is to check if two 
conditions b\ and 62 are concurrent. One way consists in determining if C = 
[*&i] U [*62] forms a configuration, and hence 61,62 € Cut{C). The following 
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proposition indicates how to determine in a modular way whether the union of 
two configurations is a configuration. 

Proposition 10. Let P be a branching process of the product {N, mg) . Let C, C 
be two configurations of p. Lf (TV, mp) is non-reentrant, then C U C' is a config- 
uration of P iff\fi,C[i] \JC'[i] is a configuration of Pi- 

Proof. The necessary condition part of the proposition is obvious. Indeed (C U 
C')[i] = C[i] U C'[i] for any branching process Pi and is a configuration. 

Let us prove that U C'[i] is a configuration of Pf' is a sufficient 

condition for C U C' to be a configuration. Let us prove it by contradiction. If 
C U C" is not a configuration, C U C' is not conflict-free: 3e G C,e' G C : effe'. 
Indeed, C U C" is causally left-closed and if there is a conflict in C U C', it must 
be between events in C and C . Let select e, e' such that [e] and [e'] are minimal: 
[e] U [e'] \ {e, e'} is a configuration of p. 

We show that the labellings of [e] and [e'\ are equal: \{h{e)) = \{h{e')). 
Let b be an input condition of e and e' . If ^^(6^) G Bi, then 'l/{e)[i] = 'L'{e')[i\. 
Otherwise tf'(e)[i] and W{e')\i] are conflicting events in C\i] U C'[i]. This proves 
that A(/i(e)) = \i{hipL{e)[i])) = \{h{e')). 

The events e and e' have two ways to be different: h{e) yf h{e') or *e yf *e'. 
If h{e) y^ h{e'), there exists i: h{e)[i] yf h{e')[i]. Because C[i] UC"[f], 'L{e)[i] and 
are concurrent events in Pi labelled by the same letter. This contradicts 
the non-reentrant property. If *e yf *e', there exists a condition & in *e and not 
in *e'. Let Pi be the branching process containing the condition b pL{b) G Bp. 
If W{e)\i] and <f'(e')[*] are different events, then they are two concurrent events 
in Pi labelled by the same letter. This contradicts the non-reentrant property. 
Otherwise, there exists a condition b' G *e' such that 'L{b) — L'{b'). The con- 
ditions b and b' are both marked in M = Cut{[e\ U \e'] \ {e, e'}), hence lf'(6) is 
not 1-bounded in L'{M). This is impossible because Pi is a safe net as it is a 
branching process. □ 

4.3 Finite Complete Prefixes of a Product of Petri Nets 

In this subsection, we study the processes of a product and show how to design 
a well-adapted order from well-adapted orders of its components. 

Proposition 11. Let tt = {{B,E,F),h) a process of {N, mo). 

Let\/i,Tr[i] = {{Bi, Ei, Fi),hi) defined such that 

- B, = {bGB\ h{b) G PJ 

- Ei = {e G E \ h{e)[i] yf e} 

- Fi = Fr\ {{B, X Ei) U {E, X BP) 

- yb G Bi, hpb) = h{b), Ve G Ei, hpe) = h{e)[i\. 

Then 7r[z] is a process of {Ni,mp . Moreover, if {N,mo) is non-reentrant then the 
mapping which associates to each process tt the tuple (7t[ 1], . . . ,7r[n]) is injective. 



Proof. This proposition is a direct application of Proposition [n3 when consider- 
ing 7T as a branching process of TV. □ 
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A well-adapted order of a component defines a well-adapted order on the 
processes of the product. The lexicographical combination allows to design a well- 
adapted total order for the product when each component has a well-adapted 
total order. 

Proposition 12. Let Vi, -<i he a well-adapted order over the finite processes of 
Ni. Let the relations over finite processes of N be defined by n tt' iff 
7t[i] -<i 7t'[z]). These relations are well-adapted orders. Moreover, if N is non- 
reentrant and Mi, <i is a total order then lex{^[i ], . . . , ^[n]) is a total order. 

Proof. The fact that is well-adapted, is obvious. One has just to notice that 
7T C 7t' 7t[i] C Tr'[i] and tt £ tti • 7T2 => tt [i] G 7Ti[i] • 7T2[i]. The second part of the 

proposition is directly deduced from Proposition E] which states that a process 
7T is characterized by (7 t[ 1], . . . , 7r[n]). □ 

The previous proposition has an important consequence. It allows to select 
the best order depending on the type of components. For instance, in priT) . 
each component is a state machine and the selected order is total and checked 
efficiently. In the following section, we will see how to extend this result to 
systems obtained by composition of state machines and queues. 



4.4 Finite Complete Prefixes of a Product of Symmetrical Petri 
Nets 

This part presents a natural adaptation of the previous results for products 
of symmetrical Petri nets. We first define a product of symmetrical Petri nets 
as a symmetrical net. As a consequence, a branching process of a product of 
symmetrical nets is well defined as a branching process of a product of nets. As 
a symmetrical net, the unfolding is also well defined. It remains to define the 
modular construction of a well-adapted order. 

Definition 27. Let (Ni,Gi), . . . , {Nn,Gn) be labelled symmetrical nets. The 
product (N,G) = ^i{Ni,Gi) is defined as ((2)i Hi G'i). A product of 
marked labelled symmetrical nets ^^{Ni,Gi,rrii) is non-reentrant iff the product 
®i{Ni,mi) is non-reentrant. 

The following proposition generalises Prop. to products of symmetrical 
nets. 

Proposition 13. Let Mi, -<i be a well-adapted order over finite processes of 
(Ni,Gi). Let the relations over finite processes of (N,G) be defined by 
TT tt' iff Tr[i] tt'[{\). These relations are well-adapted orders. Moreover, 
if {N,G) is non-reentrant and Mi, <i is a total order then lex {<^^, . . . , ^[n]) 
a total order. 

Proof. This proof is as simple as the proof of Proposition ^3. □ 



Unfolding of Products of Symmetrical Petri Nets 139 



5 Implementation of Unfoldings of Products of 
Symmetrical Petri Nets 

In this section, we show how the construction of a complete prefix can benefit 
from the modular decomposition of the net. Moreover, the symmetries will be 
taken into account to limit the size of this prefix. Then, we present an efficient 
implementation concerning systems composed by state machines and queues. 



5.1 Modular Construction 

A generic algorithm for Petri nets is given in Alg. 15.11 The mainly required 
operations to build a complete prefix of a product of symmetrical nets are to 
manage a heap of events sorted on their local configurations, to detect cutoff and 
to compute the possible extensions (i.e. new events) of a prefix. To get a modular 
construction, all these operations have to be designed just using the following 
basic computations for each component. Let Ci and C[ be two configurations of 
a component i and hi a condition of i. 

1. decide if i7(Ci) ^ il(C') 

2. compute Cut{Ci) 

3. decide if Ci U C[ forms a configuration 

4. decide if hi S Cut{Ci) 

Propositions |S| and 0 indicate that any element v G B U if of a prefix 
can be encoded by 'I'iv) together with the tuple of component configurations 
([u][l], . . . , [u][n]). For the computation of extensions, we introduce new data 
related to extensions local to a component. For a component i, a local exten- 
sion li is a pair {d^Prei) with G Ei and Prci C P~^[Bi). We impose that 
*Ci = 'P{Prei) and that Prci is a set of concurrent conditions in the prefix al- 
ready constructed. One can remark that the definition of P ensures that such a 
local extension is valid (i.e. the homomorphism and the concurrency is respected 
in the component i). We denote by Ci the set of local extensions and by Ci{a) 
the ones labelled by a G (Ci{a) = {{ei,Prei) G Ci \ Xi{hi{ei)) = a}. For 
convenience, we define Ci(a) = {(e, 0)} when a ^ Ai. We are now in position to 
discuss the implementation for the computation of finite prefixes: 

~ Sort configurations: We use the lexicographic order defined in Prop. El 

— Check cutoff for an event e: We compute the cut corresponding to the con- 
figuration [e] using Prop. 0 as CutN{[c]) = \JiCutN{[e][i]). And then, we 
check if there exists an event e' with an equivalent cut (Vi, CittAr([e] [i]) = 
CutjM{[e'][i])) such that \e'] < [e]. 

— Compute extensions: We assume that the sets of local extensions Ci{a) are 
coherent with respect to the already computed prefix. A global extension 
I is a tuple (Zi,...,/„) of local extensions U G Ci{a) for a given label a. 
This definition ensures that the property of synchronization is satisfied. To 
construct a valid extension, we have to check that the set of all the conditions 
Ufc are concurrent: 
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Algorithm 5.1 Unfold 

Prefix func unfold(PetriNet (A, mo)) { 

Prefix prefix {N, mo); 

SortedHeap heap; 

heap. put (pre/is .InitEvent 0 ) ; 

while (not /ieap.isEmpty()) { 

Event event /leap. getMax(); 

pre/ix. addln( etien/) ; 

if (not prefix .isCutoS(event)) 

foreach successor in extend(pre/ia:, event) 
heap.put(successor ) ; 

} 

return prefix; 



— C = {}k[Prek\ is a configuration. This test can be done on each compo- 
nent (Vt, lJj,[Prefe] [z] is a configuration of component z). 

— Each condition in {}f.[Prek] belongs to Cut(C). This test can be done 
on each component (Vz,V6 G Prei,'P{b) £ Cut{C[i])). 



5.2 Application to Finite State Machines and Queue Components 

Applying the modular algorithm described previously to a given type of compo- 
nent induces the definition of a representation for the unfolding of components 
as well as the implementation of the basic operations. In the case of finite state 
machines and queues, we have explicit representations of maximal branching pro- 
cesses which allow to specialize the representations of a process, a configuration 
and a canonical form of equivalent states. 

In the case of single-marked finite state machines, the maximal branching 
process has a tree structure and the paths from the root corresponds to sequences 
of the system. The following tables give a formal description of the branching 
process. 



Element 


Encoding 


B 


a : a G T* A mo-i- 


Min 


{4 


E 


a ■. a £ A mo-2_>. 



Event 


*e 


e* 


a • t 


a 


a • t 



Configurations and processes are encoded by firing sequences and states by 
places. We are now in the position to specify how the basically required oper- 
ations are designed. Let cr and a' be two sequences representing configurations 
and a" a sequence representing a condition. We use -<iex for the lexicographical 
order, and IZ for the prefix order over words. 

1. decide if I7 (ct) ^ PI{(^')'- Ic] < |tj'| else a -<iex cr' 
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2. compute Cut{a): {p £ P \ mo-^p} 

3. decide if ct U cr' forms a configuration: ct IZ ct' or cr' IZ cr 

4. decide if ct" G Cut (a): a = a" 

For a finite unknown bound queue component, we consider two sets of tran- 
sition labels Send and Receive, and a mapping p : Send U Receive — >■ Mess. The 
sets Send and Receive correspond to the enqueue and dequeue actions, and the 
mapping p specifies the message for which the action is performed. 

The maximal branching process has two types of events: Send and Receive. 
A Send event is specified by a sequence of enqueue actions of the system while 
a Receive event is specified by a sequence of dequeue actions of the system but 
also by a sequence of corresponding enqueue actions. We consider three types 
of conditions : In, M and Out associated to a place of the queue model. We 
characterize it by their input events (i.e. conditions In and M by their input 
Send event and conditions Out by their input Receive event). The following 
tables give a formal description of the branching process. 



Element 


Encoding 


B 


In[as] : (Js G Send* 

M[as] : as G Send** 

Out\as, ar] : as G Send* A ar G Receive* A p{as) = p{ar) 


Min 


{In[e],Out\t,e]} 


E 


Send\as\ : as G Send~* 

Receive[as, ar] : as G Send** A ar G Receive** A p{as) = p{ar) 



Event 


*e 


e* 


Send\as ■ ts] 


In[as] 


In[as ■ ts], M[as ■ is] 


Receive[as ■ts,ar- C] 


M[as ■ ts], Out[as, ar] 


Out[as ■ ts,ar ■ tr] 



Configurations and processes are encoded by pair of words (cts, cfr) G Send* x 
Receive* such that p{(Js) = p{<Jr) (i-e. the sequences of sending and receiving 
actions) and states by words on Mess (i.e. the message in the queue). We are now 
in the position to specify how the basically required operations are designed. 

1. decide if n{aa,(Tr) < n{a'a,a'^)\ |cts| -|- \ar\ < |ct(| -I- |ct(| else ct^ ^lex or 
else CTj. ~^lex 

2. compute Cut{as,<Jr)'- {m G Mess* \ p{os) = p{or) ■ m} 

3. decide if (as,ar) U (ct(,ct(.) forms a configuration: 

- CTs E cr( A (ctj. E O'), V (ct( C CTr a p{ar) E m(o"s))) or 

- C Cts A (ct(. C CTr V ((7^ E A p{a'^) C /t(CTs))) 

4. decide if & G Cut{as,<Jr)' 

- if 5 = /n[cr"] or b = M[ct"] : ct" = CTs 

- if 5 = Out[a”, ct"] : ct" E 0's A ct" = ct^ 

One can remark that all the basic operations are implemented using only 
simple computations on words. The implementation of a finite queue introduces 
a new type F of conditions representing the free slots of the queue. Its maximal 
branching process is then more intricate because a sending event is also depended 
on a sequence of Receive actions. However, the basic operations remain simple 
to implement. 
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Esparza and Romer in Q compute the complete prefix of system for which the 
queues are bounded. Because they only manage finite state machines, they use 
the model of a queue of Fig. E viewed as a product of state machines. A first im- 
plementation of the unfolding algorithm presented in this paper which deals also 
with finite unknown bound queues has been designed. This tool has been used 
to compare the two implementations on an example of producer/consumer com- 
municating through a queue. The producer sends a finite sequence of messages. 
In this experiment, our implementation leads to the construction of branching 
processes for which the number of events is constant independently of the size 
of the queues (finite or not). On the contrary, considering queue as a product of 
finite state machines leads to unfoldings for which the number of events increases 
linearly with the size of the queue. 

6 Concluding Remarks 

In this paper, we have presented a general technique for the modular construc- 
tion of complete prefixes adapted to systems composed of Petri nets. This con- 
struction is based on a definition of a well-adapted order allowing combination. 
Moreover, the technique has been instantiated in an efficient algorithm for sys- 
tems combining finite state machines and known or unknown bound queues. 

It is important to note that all the verification techniques based on the anal- 
ysis of a complete prefix can be used in our context. Moreover, the modular 
construction and the identification of the component parts of the prefix must 
allow the design of new verification techniques. As an example, one can easily 
compute the bound of a queue directly on the resulting prefix. We claim that 
the presented method is sufficiently generic to be instantiated to other types of 
components and we presently work in this direction. 
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Abstract. We address the verification of programmable logic controllers 
(PLC). In our approach, a PLC program is translated into a special type 
of colored Petri net, a so-called register net (RN). We present analysis 
methods based on the partial order semantics of RN’s, which allow the 
generation of partial order traces as counter examples in the presence of 
programming errors. To that purpose, the behavior description ‘concur- 
rent automaton’, introduced in for safe Petri nets, is upliftet to the 
dedicated RN’s. 



1 Introduction 

In this paper, we address the verification of industrially applied controllers. We 
concentrate on software for programmable logic controllers (PLC). The interna- 
tional norm lEC 1131-3 [in| defines several languages for PLC programming: 
sequential function charts, structured text, ladder diagrams, function block dia- 
grams, and — most elementary — an assembler-like language called instruction list 
(IL), on which we will focus here. 

Let us outline the main ideas: 

Organization of the verification process. An IL program is compiled into a ded- 
icated type of colored Petri net, called register net (RN). RN’s represent the 
control flow of an IL (i.e. the order of computation of program parts as deter- 
mined by jumps and labels) by means of a Petri net (to be precise, an elementary 
net system (ENS)), and the data flow (memory and hardware addresses and ac- 
cumulators) by registers containing non-negative integers. Transitions can read 
and modify data, and their occurrence can depend on data. 

The verification process is done as follows: After compiling the IL program 
into a RN, a model of the environment of the PLC is added to the resulting net, 
i. e. a model of the controlled facility (also in form of a RN). Such an environment 
model is necessary because of the following reason: Sensor values tested by the 

’’’ This work is supported by the German Research Council under grant ME 1557/1-1. 
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PLC change because of actuator actions influenced by the PLC. This behavior 
has to be captured in some way. 

Additionally, we want also to be able to deal with (parts of) plants comprising 
several facilities and associated PLC’s. PLC’s of different machines communicate 
in an implicit manner by the changes of sensor values: If a transport belt is 
activated by a PLC, a light barrier associated with some other PLC will observe 
the passing of the transported blank. 

The analysis will be done on the composed model consisting of the RN of 
the environment and the RN’s of the several PLC’s. In this paper, we focus on 
three types of system properties: 

1. absence/presence of deadlocks (which is merely a side effect of our analysis 
technique) , 

2. run-time errors like overflows and division by zero, and 

3 . simple safety properties. A simple safety property is an assumption on data 
values describing system states which are not allowed to occur. 

Mathematical Considerations. Since RN will be used for analysis purposes, a 
mathematically sound model of the behavior of a RN is needed. We prefer a 
partial order semantics instead of the more familiar interleaving semantics for 
the following reason: Interleaving semantics is based on the notion of sequences 
of transition occurrences acting on a global state space of the system. In terms 
of PLC’s: A global state is the product of the states of all the PLC’s in the plant. 
Because concurrency and causality are not visible in sequences, such semantics 
gives the somewhat misleading picture that anything in a plant has to do some- 
thing with everything else. But in a real plant, many processing steps can be 
(and are) performed independently of other processing steps. 

In using partial order semantics, independence and causality become visible. 
The idea is to model causal dependence and independence of system actions by 
the mathematical concept of a partial order. If ei and 62 are system actions 
(elementary processing steps or the computation of a single command in an IL 
program), then we use the notation ei < 62 to indicate that e\ has to precede 
62 in time, or that ei is a necessary precondition of 62. On the other hand, if 
neither Ci < 62 nor 62 < ei holds, then ei and 62 are concurrent or independent 
of each other. We write ei co 62- 

There are many types of partial order semantics of Petri nets, for in- 
stance Mazurkiewicz traces, (prime) event structures, pomsets (partial words), 
or (branching) processes. We use so-called semi- words 1 1 I fi 5 | . which are basically 
partial orders of system actions. 

Analysis Technique. For colored Petri nets (and therefore, for RN’s), several 
analysis techniques are available, e.g. place invariant analysis or reachability 
graph (state graph) generation. Additionally, methods of the classical Petri net 
theory can be applied to the unfolding of the RN. 

We focus on an alternative approach, namely the description of the behavior 
of a RN by means of a concurrent automaton (CA). CA are basically state 
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graphs, however, with transitions comprising partial order representations of 
parts of the system behavior. 

Our choice is motivated by the following reason: Partial order based tech- 
niques have their strength if the system under consideration exhibits a high de- 
gree of concurrency, and (more importantly) very few nondeterministic choices. 
In the given application area nondeterminism can be used to model random 
events like system faults or human inference. But we expect that the consid- 
ered systems are ‘almost’ deterministic. Therefore, it is likely that partial order 
techniques behave well in the analysis of PLC programs. 

Concurrent automata were introduced by Ulrich Ulrich uses CA for test 
case generation. A generation algorithm which bases on the input of an unfolding 
of a Petri net |S| is given. 

The notion of CA has some similarities to step covering graphs M- Step 
covering graphs can be viewed as CA where each transition consists of a semi- 
order with empty ordering relation, i. e. a step. 

Another C A- like approach are process automata introduced by Burns and 
Hulgaard |3- Process automata comprise global states and transitions labelled 
by processes of safe Petri nets. A stubborn reduced reachability graph m is used 
as the input of an generation algorithm. 

The paper is organized as follows: In section|3we examine a very small control 
problem to explain how IL’s are translated into RN’s. The example serves only as 
a motivation for the definition of RN’s, not as a running example throughout this 
paper. To meet the page limit, other examples had to be omitted. Section 0 lists 
the notions and basic definitions used. In sectional we introduce RN’s formally 
and define their partial order semantics. Section 0 discusses analysis methods 
for RN’s and introduces CA. In sectional we present a generation algorithm for 
CA of a given RN. Simple safety properties and run-time errors are defined in 
section Q and a corresponding CA-based analysis algorithm is given. Sectional 
summarizes our paper and gives an outlook on further work. 

2 Instruction Lists 

In this section we discuss a simple controlling problem jO] to motivate our ver- 
ification method. Figure Q shows a hydraulic piston. Two valves are used to 
increase and decrease the pressure of the liquid in the left and right hand part of 
the piston case. Activation/deactivation of the actors YT and Y_r opens/closes 
the left and the right hand valve, respectively. The sensors XT and X_r indicate 
whether the piston has reached its leftmost or rightmost position. Finally, there 
is a switch to start and stop the piston’s movement by a human operator. 

The piston is expected to behave as follows: If the operator hits the switch 
(and keeps pressing it), the piston starts moving until it reaches its leftmost 
or rightmost position, then it is moving back into the opposite direction. If the 
operator releases the switch, the piston has to stop. 

Figure 121 shows an IL program to solve this simple controlling problem. IL is 
an assembler- like language. Commands act on variables and on an accumulator. 
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switch 



Fig. 1. Hydraulic Piston 



For instance, the command LDN z reads: Load the negation of the value of the 
variable z into the accumulator. S and R are set/reset commands, AND is log- 
ical conjunction, and ST means store. Of course, conditional and unconditional 
jumps are supported by IL, and there are also subroutines in form of functions 
(procedures without memory) and function blocks (procedures with memory). 
These ‘structured’ programming constructs are not allowed to be recursive, i. e. 
IL’s with functions or function blocks can be translated into a formalism with 
static control structure (e. g. a Petri net). Permitted data types are scalar types 
like integers, Booleans (the least significant bit (Isb) of a machine word deter- 
mines its boolean value), or floats. 

The processing cycle of a PLC is as follows: In a first step the sensor values 
of the controlled environment are read and mapped to input variables by the 
operating system of the PLC. (In our example, X_1 is mapped to x_l, X_r to 
x_r, and so on.) The next step is the execution of the user program. Finally, the 



VARJNPUT 
x_l: BOOL; 
x_2: BOOL; 
start: BOOL; 
END.VAR 
VAR_OUTPUT 
y_l: BOOL := FALSE; 
y_r: BOOL := FALSE; 
END_VAR 
VAR 

z: BOOL := FALSE; 
END_VAR 



PROGRAM 
LDN z 
AND x_r 
S z 
LD z 
AND x_l 
R z 

LDN start 



R z 
LD z 

AND start 
ST y_l 
LDN z 
AND start 
ST y_r 

END_PROGRAM 



Fig. 2. An IL User Program 
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Fig. 3. Register Net Structures for Some IL Commands 



values of output variables are mapped to the actuators of the plant. This process 
is repeated in a fixed time grid, the so-called cycle time. 

RN’s are Petri nets (ENS) augmented by registers containing non-negative 
integer valuesQ A transition of a RN is enabled if its pre-places are contained 
in the current case (marking), its post-places are not (safe firing rule), and if a 
predicate on register values associated with this transition yields not false (i.e. 
true or undefined, we will later discuss this point). Additionally, a function on 
tuples of integers is associated with each transition to determine the effect of the 
firing of this transition. 

Consider fig. mm or 13 for some examples of RN’s. White (unfilled) circles 
and boxes are places and transitions of the underlying ordinary Petri net, gray 
shaded circles are registers. A dashed line (without arrow) from a register to a 
transition means that the value of this register is read by the transition to deter- 
mine its enabledness and its output values, a dashed arc from a transition to a 
register identifies this register as an output register. Dashed lines are labeled with 
variable symbols, dashed arcs are labelled with expressions on these variables — a 
mechanism adopted from colored Petri nets to define output functions. Predi- 
cates are given by Boolean expressions which appear as transition labels. Finally, 
to avoid edge crossings we fix the convention that the same register may have 
several graphical appearences. 

Figure 0 shows some register net structures associated with several IL com- 
mands. Figures El (a) and 13(b) build the RN-semantics of the LDN and AND 
commands. We use x to denote bitwise negation of x, and x Sz y for bitwise 
conjunction of x and y. (Recall that the Boolean value of an n-bit integer is 
determined by its Isb). The set command S (Fig.|3(c)) and the reset command 
R are conditional commands: Their arguments get a new value only if the value 
of acc (the accumulator) is true. We therefore have to use two alternative tran- 
sitions to describe the semantics for these commands, one which modifies the 
argument and one which does not: Modification of register clearly defines de- 
pendencies between transitions. 

Since it is rather obvious, we refrain to give a complete list of RN structures 
for all IL commands. It should also be easy to imagine how the RN for the user 
program fig. |3 looks like. Figure El shows the RN for the ‘operating system’ of 



^ Clearly, all the scalar types mentioned above can be traced back to integers. 
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Fig. 4. System Program 



a PLC: The system program which maps sensor values to input variables and 
output variables to actuators. Since we cannot make assumptions on the order 
in which both mappings occur, we decided to model the mappings as being 
concurrently executed. 

Finally, we have to model the controlled plant (environment model) in order 
to describe the changes of sensor values in response to the control. In doing 
this, we are faced with an implicit assumption of any IL program: The PLC is 
fast enough to observe any changes of sensor values. We reflect this assumption 
by adding a so-called blocking register blk to our model: A transition is only 
allowed to modify a register associated with a sensor if the register blk contains 
the value 0. This transition modifies the blk register by writing the value 1 into 
it; therefore, no other transition modifying sensors is allowed to Are until blk is 
reset to 0. This is done by the RN model of the system program. It also makes 
sure that the environment model is blocked while the user program is executed. 

A very analogous approach to block the environment is described by the 
authors of 0: They use safe Place/Transition nets to model both the PLC pro- 
gram and its environment. A blocking place is added to prevent value changing 
while the PLC program is executed. However, in this approach the environment 
is never blocked if the PLC program is idle. 

Figure 13 shows an environment model for the hydraulic piston. It comprises 
the basic states r (right hand position), m (middle position), and 1 (left hand 
position) . 

Finally, let us turn to another detail of our modelling approach. We men- 
tioned already that registers contain non-negative integers, which actually 
means: values of PLC variables. These values cannot be arbitrarily large, but 
they are restricted to the range [0..2"* — 1], where usually m = 8 or m = 16 is 
some constant. What happens if a user program tries to increase such a value be- 
yond 2™ — 1? Another question is: What happens in the case of dividing by zero? 
Such ‘undefined behavior’ (even if the programmer knows that (2® — 1) -1- 1 equals 
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Fig. 5. Piston Environment Model 

0 in 8 -bit arithmetics) is in almost every case unintended, hence a programming 
fault. 

To capture run-time errors of this type, we allow predicates and functions 
associated with transitions to return a special value _L (read ‘undefined’), and 
we assume them to be strict (i. e. /(J-) = _L). _L models unknown behavior; we 
cannot define that a RN transition is not enabled if one of it’s input registers 
contains _L — especially, if this transition is located in the environment model, 
such a definition would model a rather unrealistic behavior. Therefore we decide 
to make a transition enabled even if the associated predicate yields T: In case 
of unknown behavior every behavior is possible. 



3 Mathematical Background 



This section summarizes the basic notations used throughout this paper. 

To avoid tedious notions, we fix the following convention: If a structure 
S = {A, B, . . .) is introduced, the components of S will always be denoted by 
^5, Bs , . . . N denotes the set of non-negative integers, B = {false, true} is the 
set of Boolean values. 

For some set A, V{A) is the set of all subsets of A. For R C A x B and 
a € A, we denote the image of a under R by R{a) =df {b & B \ a R b}. For 
C C A we define R{C) =df UaeC'^(®)- inverse R~^ C B x A oi R is 
defined by b R~^ a <t^df a Rb. C A x A denotes the least transitive relation 
containing R C A x A. For every set A and n > 0 , is defined by A^ =df 0 
and =df A^~^ x A. For sets Ai,A2, . . . ,A„, and some i < n, the projection 

pr^ : X ^2 X • • • X A„ — >■ Ai is defined to be prj((oi, 02, . . . , a„)) =df Oj. 

To deal with partial functions, we define A± =df A U (Tj for any set A. If 
f : A ^ B is a partial function, then the total function /-*- : A± — >■ B± is defined 
as 



=df 



T, if cc = T or f(x) is undefined; 
/(x), otherwise. 



This notion also applies to n-ary functions. 
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A (finite) labeled partial order (Ipo) a = (i?, <,A) over some alphabet T 
consists of a finite set E of events, an (irreflexive) partial order < C E x E, called 
the precedence relation of a, and a labeling function A : if — >■ T. e = (0, 0, 0) is 
the empty Ipo. If f S T is a symbol, then t is also be used to denote the letter 
({O},0,{(O,t)}). 

The relation co^ is defined by Ci co^ 62 <t^df <a 62) & “'(62 <a ei). A 
set C C if is called a co-set, iff we have ei 62 => ei cOa 62 for all 61,62 € C. 
A semi-order is a Ipo a where for all 61,62 € Ea, 61 cOa 62 => Aa(ei) yf Aa(62). 
SO(T) denotes the class of semi-orders over T. 

We now introduce the prefix relation and the notion of sequentialization for 
Ipo’s. Since we want to abstract from the specific events of Ipo’s, both concepts 
are presented in terms of homomorphism between Ipo’s. 

Let a and b be Ipo’s. A mapping h : Ea — > if& is called a homomorphism, iff 
Cl <a 62 implies h{ei) <b h{e 2 ) for all ei, 62 € Ea and furthermore, Xa = h. 
It is called an embedding, iff it is an injective homomorphism with the property 
h{<~^{e)) = <b^{h{e)). A bijective embedding is called an isomorphism, a is 
called a prefix of b, denoted by a < 6, iff there is an embedding h : Ea ^ Eb. We 
write a = b, if a < b and b < a holds, a is called a sequentialization of b, denoted 
by 6 ^ a, iff there is a bijective homomorphism h : Eb ^ Ea. 

In |3j we proved that if a < 6 holds for semi-orders a, b over the same alphabet, 
then the embedding of a into b is unique. We denote it by Eda '. Ea ^ Eb. 

Clearly, = is an equivalence relation. A semi-word is an equivalence class 
of semi-orders. We write [a] = [Ea,<a,Xa] to denote the equivalence class of 
a Ipo a. The same notion applies to semi- words. A semi-language is a set of 
semi-words. SW(T) denotes the class of semi-words over T. 

We fix the following conventions: If a, b, c, ... are semi-orders, then we 
use boldfaced lowercase letters a, b, c, . . ., to denote their equivalence classes 
[a], [6], [c], . . . Hence, for instance, Ea will always refer to the event set of a 
representative of a = [a]. Especially, if t is a letter, then t = [i\. The equivalence 
class of 6 will also be denoted by e. 

Now it is easy to prove that both < and ^ are preorders on the class of Ipo’s. 
If we put a < b <J4>df a < b, and a < b <t^df a < b for all a £ a, b G b, then < 
and ^ are partial orders on semi- words. 



4 Register Nets and Their Partial Order Semantics 

In this section we are going to introduce formally the notion of register nets 
(RN’s). We start with the definition of a net, i. e the graph representation of the 
control flow part of a RN. 

Definition 1 (Net). A net {P,T,E) consists of non-empty, finite sets P and 
T such that P C\T = 0, where the elements of P and T are called places and 
transitions, respectively, and a flow relation EC (P x T) U (T x P) . We assume 
that F{t) yf 0 and E~^(t) yf 0 for each t G T. 
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In the above definition, places are local system states, and transitions are 
used to model the changes of local system states according the flow relation. 

Definition 2 (Register Net). A register net V = {P,T, F, p, G, P , s) (a 
RN, for short) consists of the following components: 

1. P, T, and F are such that {P,T,F) is a net. 

2. R is a finite set o/ registers. We assume RC\ {P UT) =0. 

3. A mapping p : Ty R* x R* ; p{t) is called signature of t. To re- 
duce the notational effort, we use the following shortcuts. Let p{f) = 

(rori . . .r„,r(r(, . ..r'^): 

a) in(t) =df n (input arity oft), and out(t) =df k (output arity oft), 

b) rd{t,i) =df ri for 1 < i < in(t) (input register selection oft), and 
wr(t, j) =df r'j for 1 < j < out(t) ( output register selection oft). 

c) mod(f) =df {wr(t,i) :1 < j < out(t)} (the registers modified by t). 

d) ac(t) =df {rd(t,i) : 1 < * < in(t)} U mod(t), (access registers oft). 

We assume 1 < * yf i < iu(t) => rd(t,j) yf rd{t,j) and 1 < t yf j < out(t) 

wr(t,j) yf wr(t, j) 

4 . A family P — {Pt}t(=T of partial mappings Pt : B (predicates). 

5. A family G = {Gt}teT of partial mappings Gt '. Nout(t)^ 

6. s € V{P) X (i? — >■ Nj_), an initial state. 

Let us discuss the above definition in more detail: The signature p{t) of a 
transition gives us information of the arguments of the predicate and the func- 
tion associated with this transition. If p(t) = (rir 2 . . . . . . r(.), then we 

will associate a function Gt with t, which obtains the values of the registers 
ri,r 2 ,...,r„ and computes a new value for the register r(, . . . r(,. The en- 

abledness of t depends also on the registers ri, r 2 , . . . , t becomes enabled 
only in the case where Pf~{ri, r 2 , . . . , r„) yields not false, i. e. either true or un- 
defined. 

Definitions describes system states of a RN V as pairs comprising a marking 
of V and an assignment of non-negative numbers to registers. 

Definition 3 (State). A marking of a RN V is a set q C Py. A register 
assignment ofV is a mapping a : Ry Nj_. A state ofV is a pair s = {q, a), 
where q is a marking of V and u is a register assignment of V. By F{V) =df 
V{Py) X {Ry Nj^) we denote the set of possible states of V. A register 
assignment a is iL-restricted for some constant K > 0, if a{r) < K for each 
r G R. (q,a) G F(V) is called Lf-restricted if a is K -restricted. 

Data types permitted by the lEC 1131-3 are scalar types like integers, 
Booleans, floats, etc, but restricted to a representation by m bits. To simplify 
our definitions, each of these data types is mapped on the set N of non-negative 
integers; the specific interpretation of a value (e. g. the interpretation of the num- 
ber 0 and 1 as the Boolean values false and true) is assumed to be done by the 
mappings Gt. However, to put the m-bit restriction into our model, we assume 
that there is an upper bound K of each possible register value. 
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Definition 4 (iC-Restricted RN). V is restricted to some constant K > 0 
(7C-restricted, for short), iff for each transition t € Ty and for all ki < K 
we have that k^, ■ ■ ■ , kn)) -L implies pr^ (G^(/ci, k^, ■ ■ ■ , kn)) < K 

(1 < i < in(t), 1 < j < out(t)j. V is restricted if it is K-restricted and sy is 
K -restricted. 

We are now going to define the partial order semantics of RN using the 
notion of semi-orders. The effect of the firing of a semi-order is described by the 
simultaneous effect of the order-respecting occurrence of each event of the semi- 
order to both the marking component and the register assignment component 
of a state. 

To simplify the definition of a firing rule of semi-orders in a RN, we need 
some additional notations: 

Definition 5. Let a £ SO(Ty) for some RN V. We define e~ =df Fy^{Xa{e)), 
and e’*' =df Fy{Xa{e)) for each e G Ea- If C C Ea, we put C~ =df UesC 
G+ =df UeGC®"*"- confusion is possible, we write rd(e,z) for rd(Aa(e),z), 

in(e) for in{Xa{e)) , Ge for G>^(e), and so on. 



Definition 6. Let a £ SO{Ty) for some RN V and let C C Ea, q he a marking 
ofV and a he a register assignment ofV. We define mappings Sy : V (Py) x Ea -£ 
P(^Py), Sy '. {Ry — y Nj_)xifa — y {Ry — y Nj_), andiry : — y — y 

by 

Sy{q,e) =df ((?-e“)Ue+ 

r pr^-(G^(cr(rd(e, 1)), . . . , cr(rd(e, in(e))))), 

Sy(a,e)(r) =df < if r = wr(tj) and l< j < out(e); 

[ cr(r), otherwise 

TTy{a,e) =df Pe^(cr(rd(e, l)),...,cr(rd(e,in(e)))) yf false 

Sy and Sy are inductively lifted to subsets G Q Ea by putting Ay{q,G) G 
V{Py) and Af{a,G) £ V{Ry -£ Nj^) to be the smallest sets such that 
C' - {e}),e) C A^{q,C), and i5^(Z\|,(cr, G - {e}), e) C Af{a,G), 
where e £ max<^ G and G yf 0; moreover we put Ay{q,$) = {q}, and 
Ay{a,%) = {ct} to terminate this recursive computation rule. Finally, we de- 
fine Ay{{q,a),G) =df G), Z\^(cr, G)). 

The mappings and Sy describe the effect of the occurrence of a single event 
to the marking component and the register assignment component of a state. Try 
is used to determine whether a transition t with associated predicate Pt is able to 
fire or not. Ay and Ay describe the effect of a set of events G to a state. The idea 
is that the events of G occur in an order compatible with <a (i. e, if e <a e' , then 
e occurs before e' , independent events can occur in any order). But for now, we 
cannot say yet whether two events with e cOa e' are independent in V . Therefore, 
Ay and Ay cannot be defined as partial mapping Ay : V{Py)xV{Ea) V{Py) 
and Af : (Ry -y Nj_) x V(Ea) (Ry -y Nj^). But as we will see below, if a as 
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a certain property (F-consistence), both Ay{q,C) and Ay{a,C) are singletons 
for each state (g, a) and each subset C C of events, and therefore, they can 
be considered as partial functions. 

Definition 7 (Dependence and Independence Relation). If V is a RN, 

then the relation Dy Q Ty x Ty is defined by 

t\ Dy t 2 44>df (niod(ti) n ac(t 2 ) yf 0 V mod(f 2 ) H ac(<i) yf 0) 

V (Fy{ti) U Fy^{ti)) n {Fy{t 2 ) u Fy^{t 2 )) yf 0. 

The complement of Dy, i. e the relation {Ty x Ty) — Dy, is called the indepen- 
dence relation ofV and is denoted by ly. A co-set C of a semi-order a is called 
independent in V iff for all e,e' € C, e yf e' implies Aa(e) ly Aa(e'). a is called 
V -consistent iff each co-set of a is independent in V. By SOy(Ty) (SWy(Ty)j 
we denote the class of V -consistent semi-orders (semi-words) overTy. 

Note: If a is a semi-order over Ty such that <a is a linear ordering, then a 
is V^-consistent. 

Lemma 8. Let V be a RN and let {q,cr) € F(V). For each V -consistent semi- 
order a and each C C Ea, the sets Ay{q,C) and Ay{a,C) are singletons. 

Proof. We show the lemma only for Ay, as the other part follows the same line. 
If C = 0, then we have Ay{a,C) = {a} by definition, and we are left with 
the case C yf 0. Let e, e' G max<^ C. We have to prove that Ay{a, C — {e}) = 
Ay (a, C — {e'}) for all possible choices of e and e'. For induction let us assume 
that Ay{a,C — {e, e'}) = {a'} is a singleton. Now it is enough to show that 
, e),e') = Sy(Sy{a',e'),e). But this follows immediately from the fact 
that Ay(e) ly Xy(e') holds, i. e. Ay(e) and Xy(e') modify different registers (if 
any) . □ 

Because of this lemma, we will consider Ay and Ay as mappings, as they 
will be applied only to event sets of ^consistent semi-orders. 

Definition 9 (Firing Rule). Let a be a V -consistent semi-order over Ty for 
some RN V. Then a is enabled at a state s = (q,cr) € F(V) iff for each co-set 
C of a the following conditions are satisfied: 

C- c A^y{q, <f\C)) & {C+ - C-) n A^y{q, <-i(C)) = 0, and (1) 
yeeC{7Ty{^f{a,<f\C)),e)). ( 2 ) 

If a is enabled at s, we denote this by s ==^. a fires from s to s' G F{V) iff 
s' = Ay{s, Ea); this is denoted by s ==^ s' . 

Finally, we call a transition t G Ty enabled at some state s G F{V) if t 
considered as a letter is enabled at s. A set C C Ty of transitions is enabled 
at s if t\,t 2 G C Sz ti t 2 ^ t\ ly t 2 and s ===^ for all t G C holds. If C is 
enabled at s, the we call C a step. 
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Condition m is a generalization of the usual enabledness condition for ENS. 
It reads: C is enabled at q if the marking q' obtained by firing the history of 
C (the set <“^(C)) subsumes the pre-conditions of C, and additionally, the 
places produced by C have not yet contained in q. Condition (0 says that if an 
event e of C has an associated predicate Pg, then Pg is not false at the register 
assignment obtained by firing the history of C. 

Definition 10 (Reachable States and Semi-Language of a RN). By 

Ry(s) =df {s' G ^{y) '■ 3a G SO(Py)(s s')} we denote the set o/ states 
reachable from some state s of V, and SLy (s) =df {a G SWy(Ty) : s is 

the semi-language ofV at s. Finally, we put SL(V) =df SLy(sy). 



Lemma 11. If s is a K -restricted state of a K -restricted RN V , then Ry(s) is 
finite, and moreover, each s' G Ry(s) is also K -restricted. 

Proof. Simple induction on firing sequences. □ 



5 Analysis of Register Nets 

It is not hard to see that RN’s are of the computational power of Turing ma- 
chines. The easiest way to prove this fact is to reduce counter machines to 
RN’s. Counter machines are finite state machines equipped with a set of coun- 
ters containing non-negative integer values. Each counter can be decremented 
or incremented by one. Additionally, a state change of a counter machine can 
depend on a test whether a counter contains the value zero. It is quite obvious 
how to translate a counter machine into a RN. 

On the other hand, Al-restricted RN’s can be translated into an ENS and 
therefore, they are strictly less powerful than Turing machines. The translation 
is done by adding places for each pair (r, fc), where r is a register and 0 < 
fc < AT is an integer. The marking of such a place represents the fact that the 
register r contains the value k. Transitions t which access registers are replaced by 
transitions which move tokens according to the possible values of the predicates 
P( and functions Gt. This transformation is known as unfolding in the context 
of colored Petri nets. Clearly, the unfolding of RN tend to be very large, and 
therefore, many analysis tools are not applicable for those unfoldings because 
the size of the input net violates memory limitations. 

There are better ways to unfold a RN . One way is to use a binary representa- 
tion of the register values [51 : For each AT-restricted register N = 2x log 2 (AT -|- 1) 
places will be added (hence: AT < 2^). Let these places be called ro, ri, . . . , r^-i 
and fQ,fi, ... , fN-i, respectively, and let k^ki . . . k^-i be the binary represen- 
tation of a value k. Then the fact that r contains the value k is represented 
by the marking {r^ : = 1} U {r^ : ki = 0}. It is not hard (although quite 

lengthy) to implement operations like integer addition or division in terms of a 
binary coding of values by means of ENS. Although binary value coding leads 
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to smaller nets than unary value coding (ordinary unfolding), to our experience, 
the resulting nets are in many cases still too large for an analysis. 

It should be noted that both transformations preserve the interleaving se- 
mantics of a RN (under a suitable notion of language homomorphism), but they 
do not preserve its partial order semantics. The reason is that transitions access- 
ing a common set of registers can occur concurrently (see def . [Tj) , but not those 
transitions which access a common set of places. 

Another way to analyze RN nets is to find dedicated analysis methods for 
those nets. In this paper, we will describe the partial order representation of the 
behavior of a RN by means of concurrent automata. To do that, we need some 
more math. 

Definition 12. If V is a RN and a G SOy{Tf^), then {a)y is defined by 
{a)y =df [Ea,{<a nD)+,Aa], wherc D is given by ei D 62 <t^df Aa(ei) Dy 
Aa(c 2 ). Moreover, Qv '■ SW(Ty) x SW(Ty) — ?> SW(Ty) is the operator 
a Qv b =df [Ea U Eb, {<a U <& U iA) + , Aa U Ah], where D C Ea x Eb is as 
defined above (however, with a different domain), and Ea and Eb are assumed 
to be pairwise disjoint. 

The following lemma states that, if we consider a RN V, for each a member 
of the semi-language of V there is an uniquely defined least sequential semi-word 
{a)y. Moreover, if least sequential semi-words are concatenated using ©y, the 
result is also least sequential. The lemma resembles (the second part of) theorem 
2.2.9 in [15| . 

Lemma 13. For each restricted RN V we have 

1. {a)y Qv {b)y = {a Qv b)y 

2. a G SLy(s) implies {a)y € min^(SLy(s)) for each state s ofV, 

3. a G SLy(s), b G SLv(s'), and s ==^ s' imply a ©y b G SLy(s) 

Proof. Q holds by set theory. (|21) Making a semi word less sequential than {a)y 
would yield a R-inconsistent semi- word. Q holds by definition. □ 

Definition 14. The set LSLy(s) =df {{a)v € SWv{Tm) ■ o, G SLy(s)} 
ist called the least sequential semi-language of a RN V at a state s G E{V). 
LSL(R) =df LSLv(sy) is the least sequential semi-language ofV. 

Let us now turn to CA. Essentially, a CA of a net R is a finite automaton. 
Its state set consists of reachable markings of V. However, the transitions of 
a concurrent automaton are generally not labelled by single symbols, but by 
semi-orders. 

The following questions arise: What is the language recognized by a CA? 
Under which circumstances does this language constitutes a complete and correct 
description of the behavior of a RN? 

We choose the following answers to these questions: A CA is complete and 
correct if it recognizes exactly the least sequential semi-language of the associated 
RN. Recognition is defined by combining semi-orders obtained by traversing a 
CA via the ©-operation defined above. 
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Definition 15 (Concurrent Automaton). A concurrent automaton fCAJ 
over an alphabet T is a structure A = {S, X, S, s) comprising a finite set S of 
states, a set X C SO(T) of semi- orders, partial transition function 6 : S x X ^ 
S , and an initial state s G S . A CA of a RN V is a CA over Ty such that 
S C Rv(srA) and s = sy holds. 

Examples for CA can be found in [3| . 

Definition 16 (Semi- Language of a Concurrent Automaton). Let A be 

a CA of a RN V . A path through A is a finite sequence of semi-orders a = 
ai 02 ■ ■ - On (oi G Xj\ for 1 < i < n) such that there are states Sq, Si, . . . , s„_|_i 
with So = SA and 5A{si,ai) = is defined for 0 < i < n. Let P{A) denote the 
set of paths through A. 

Lf a is a path through A as given above, then the semi-word a is defined 
by a =df 0,1 Qy 02 Qy ■ ■ ■ Qy o,n- The semi-language is denoted by SL(A) =df 
{a e SW(Ty) : 3a € P{A) {a < d)}. 



Definition 17 (Correctness and Completeness). A CA of a restricted RN 
V is called complete, iff SL(A) L) LSLt/(sv) holds. Lt is called correct, iff we 
have SL(A) C LSLy (sy). 

The following lemma is obvious: 

Lemma 18 (Preservation of Dead States). Let V be a RN and let A be a 

correct and complete CA of V . s = {q,cr) G Ry(sy) is dead, iff s G Sa and 
SA{S,a) is undefined for all a G Xa. 

6 Algorithm 

In | |2I3| we discussed an algorithm to generate a concurrent automaton A of a 
safe Petri net. In this section, we modify this algorithm to work with RN. 

Basic Algorithm. The basic algorithm resembles the reachability graph con- 
struction algorithm. It works as follows: It starts by introducing the initial state 
= sy of A into the set Q, which contains unprocessed states. If a state s is 
considered, a set of semi-orders enabled at s is generated and appropriate arcs 
are added to A. If a new state s' is encountered by the firing of a at s, s' is added 
to Sa and Q. The algorithm terminates if all states in Q have been completely 
processed. 

We have to consider the following problems: 

1. If s is a state of A already generated, how do we construct an appropriate 
set of semi-orders enabled at s, and 

2. if a is such a semi-order under construction, do we add another event to a 
or do we stop extending a? 
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Let us discuss problem ^ Define the forward conflict relation D{ C Ty x Ty 

ti D{ t2 <t^df ^ (mod(ti) n ac(t2) 0 V mod(t2) H ac(ti) ^ 0) 

V Fy^{ti) n Fy^{t2) ^ 0 ) & ti ^ t2, 



and the forward independence relation by ti I ti Odf ~<(ti D{ ^ 2 ) & ti ^ 2 - At 
a state s under consideration, we generate the set C of all maximal steps in the 
set T of enabled transitions at s such that 



Vti, t2 e C{h j^t2^tilt2&i Df{h) CTk Df{t2) C T). (3) 

tifl 2 G C for different ti,t 2 means that ti and t 2 are forward independent and 
each transition in static forward conflict to ti or ^2 is also enabled at s. Hence, 
for a transition t G T with Dflt) T a single step {t} is generated. Using (0 
enables us to deal with confusion situations; see 0 for a detailed discussion. 
Now each step C is turned into a semi-order o, i. e, if C = {U, t 2 , ■ • • , t™}, 
then a = ({1, 2, . . . , n}, 0, {(i, ti) : 1 < * < n}). Events are added to a until some 
termination criterion holds (see below). 

Problem 0 is solved in the following way: We suppose V to be extended by 
an initialization part, i. e. if U is a restricted RN, we construct a RN V* from 
V and adding a transition tj and a place pi and the arcs (pi,ti) and {ti,p) for 
all p € Qsy to V. tj has the signature p(ti) = (e, e), and the predicate true. The 
initial state of V* is sy = ({p/}, (Jsv)- Obviously, the extension of V to V* does 
not change the behavior of the net significantly: We have SLy(sv) = SLy (sy). 

Define for some RN V the backward conflict relation D\, C Ty x Ty by 
t\ Db O F]y{ti) n Fat(<2) 0 & ti yf t2- In 0 the following is shown for 

safe Place/Transition-nets: 

Lemma 19. Let V he a restricted RN. If there is a infinite sequence of semi- 
orders ao,ai,02... such that oq = e and for all i > 0, Oi G LSLy(s) and 
ai < Uiyi, then there is some an with the following property: If e G Ea„ is an 
event of Un, then there is another event e! G Ea^ with e <a e' such that 

1. <Qfc(^a^(eO) = 0 for 0,11 k>n, or 

2 . Db(Aa„(V)) y^0. 

With other words, if we construct such an infinite sequence of semi-orders by 
adding successively transitions of V , we will finally end up by adding a transition 
with non-empty backward conflict relation. The proof of this lemma can be 
carried out exactly as in 0, because only the ENS part of a RN is used in the 
definition of D^. 

This solves problem 0 If o is a semiorder under consideration enabled at a 
state s of the concurrent automaton which we want to construct, a new event e, 
labelled with some transition t, is only added, if the following conditions hold: 
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procedure extend{a : in out SOv{Tv); s : in out E{V*)) is 
var T : set of Tv * ; 
begin 

T <r- addable{a, s); 

while T 7 ^ 0 do 

select t £ T- a a Qv* t\ s £- Av* {Et, s); 

T -4— addable{a, s) 

od 

end extend; 

Algorithm 1. Concurrent Automata Generation — Procedure extend. 



Tl. t is enabled after the firing of a at s; 

T2. D{(t) = 0, i. e. events with non-empty forward conflict relation remain mini- 
mal in a Qv* t; 

T3. Ve e (^£>b(Aa0v.t(e)) yf 0 e € i.e. if an 

event for t is added to a, then events of a with a non-empty backward 
conflict relation remain maximal events of a 0y t. 

Algorithm ^ shows the heart of the algorithm of 0 , the procedure extend. 
It is called if a new state s is encountered. The input of this procedure is a 
semiorder a associated with a step C of enabled transitions at s, and the state 
s' = Av*{s, Ea). It makes use of a function addable{a, s), which returns a set 
T of transitions such that conditions (j' I ' ll! , f I "Z\i , and f I are satisfied for each 
t€T. 

We improve our basic algorithm in the following way. Let s be a state of 
V* encountered by the generation of a concurrend automaton of V*, and let T 
be the set of enabled transitions at s. If we have a transition t G T such that 
Di{t) 2 T, then a single step C = {t} is generated at s. Let us further assume 
that Df{t) C\T — % and let C be another step in T generated at s. Let a be the 
semi-order associated with C . The procedure extend adds only transitions with 
empty forward conflict relation to a, i. e. if a is extended to a', then t remains 
enabled after the firing of a! . Therefore, it is not necessary to fire t at s; we can 
postpone the consideration of t until the encountering of some other state where 
(hopefully) t belongs to a larger than a single step. This rule has two exceptions: 

1. Each transition t' G T has the above property, i. e. Df(t') <f-T ^ Df{t')C\T = 

0 . 

2. The firing of a semi-order a' at s leads to a cycle in the concurrent automa- 
ton, i.e the state s' = Av*{s, Ea>) is already generated, and moreover, s is 
reachable from s' . In this case, t would be postponed forever. 

This idea leads to algorithmic The following data structures are used: 

1. Q, a stack of states of V*, contains unprocessed states; 

2. num is an array which assigns an unique number to each newly encountered 
state; 
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algorithm generate is 
input V , a RN; 
output A, a CA; 

local variables Q : stack of E(V*)\ R : stack of N; 

num : array E{V*) of N; i : N 0; loop : bool; 
s, s' : S{V*)\ T,C : set of Tv; a : SOv(IV*); 

U, V : set of set of Tv* ; 

begin 

(1) SA ■«- sv; Sa ■«- {sa}; Ra ^ 0; 5a ^ 0; push{Q,SA)', num[sA) ^ r, 

(2) while -iempty{Q) do 

(3) s <— top{Q); pop{Q)\ push{R, num(s)); loop <— false; 

(4) T enabled{s); V singlesteps{T)\ T T — U •<— steps{T)\ 

(5) if 17 7 ^ 0 then 

(6) foreach C G U do 

(7) a <— so{C)\ s' ■<— Av* (s, Ea); extend(a, s'); 

(8) if s' ^ Sa then 

(9) push{Q, s'); Sa 5a U {s'}; i <— i + 1; num{s') i 

(10) elsif memher{R, num{s')) then 

(11) while top{R) > num(top(Q)) do pop{R) od; loop ■<— true 

(12) fi; 

(13) Xa ^ Xa U {a}; 5a(s, a) -4— s' 

(14) od 

(15) fi; 

(16) if loop V 17 = 0 then 

(17) foreach C G V do 

(18) a 4— so(C); s' 4— Av*{s, Ea)\ extend{a, s'); 

(19) if s' ^ Sa then 

(20) push{Q, s'); Sa 4— Sa U {s'}; f 4— i + 1; num{s') 4— i 

(21) elsif memher{R, num{s')) then 

(22) while top{R) > num{top(Q)) do pop{R) od; 

(23) fi; 

(24) Xa 4— Xa U {a}; 5a(s, a) 4— s' 

(25) od 

(26) fi 

(27) od 

end generate; 



Algorithm 2. Concurrent automata generation. 



3. U and V are sets of transition sets. U contains those steps which can be fired 
at a state s, V contains single steps which probably can be postponed. The 
loop (6) - (14) deals with steps in the set U, single steps in V are considered 
in the loop (17) - (26). 

4. R, a stack of state numbers, is used to detect cycles in the constructed con- 
current automaton. For each pair of states s, s' considered in the outermost 
loop of algorithm [3 R contains the sequence of numbers of states from sa 
to s which was computed to construct s'. Hence, if s' is already a member of 
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i?, a cycle is detected. In this case, the cycle is removed from R (lines (11) 
and (22)) and every postponed transition is considered in the loop (17) - 
(26). 

Furthermore, algorithm |21 uses the following subroutines: 

1. enabled(s) returns the set of enabled transitions at a state s of V*. 

2. single step s{T) returns for a transition set T a set of single steps of transitions 
which can be probably postponed. 

3. steps{T) returns the set of all steps in T according to (0). 

4. so{C) returns a semi-order a with empty ordering for the transition set C. 

7 Simple Safety Properties and Run-Time Errors 

By a simple safety property we mean a proposition ip on register values of a RN 
V, which is satisfied at all reachable states of V, i. e. ip characterizes those states 
of V which are ‘good’ states. Let ip = ip(ri,r 2 , . . . , r„) be denote a propositional 
formula containing ri,r 2 ,...,r„ as ‘parameters’ where for 1 < * < n, is a 
register of a RN. Then ip is called a simple safety property. A RN satisfies a ip 
iff for each state s = (q,a) € Ry(sy) the formula ip{a{rQ),a{ri), . . . ,a{rn)) is 
true. 

Concerning our example from section 0 a simple safety property is YJ-Y_r = 
0; i.e. at every time point, at least one of the valves is closed. 

The validation of simple safety properties in the state graph of a RN is 
obviously simple. If we want to use concurrent automata for those validations, 
we have to do some additional work. We use an idea which has deeply buried its 
origin in the history of Petri net theory: We will add facts for each simple safety 
property to be verified. A fact is a transition which is assumed to be dead at the 
initial marking of a Petri net, i. e. it is assumed to be never enabled. 

A fact tip of a simple safety property (^(ri, r 2 , . . . , r„) is a transition with 
the signature p{t) = {r\r 2 ■ ■ ■ rn, e), the associated predicate Pt(fci, ^ 2 , . . . , kn) = 
->ip(ki, k 2 , . ■ . , kn), and the function G* = 0. 

Let V be the RN obtained by adding a fact t^, to V . To meet our definition 
n we assume a place Pp such that Fy{tp) = {p,p} = FT^{tip) and Fy{pp) = 
{tip} = Fff^{pip). Clearly, pp G q^y, since otherwise tp would be dead regardless 
whether V fulfills ip or not. 

Then it is clear that tp is not enabled at a reachable state s of P iff this 
state does not violate ip. Therefore, verification of simple safety properties can 
be performed on-the-fly while constructing a concurrent automaton of V. If a 
semi-order a containing an event e with Aa(e) = tp is constructed, a violation of 
ip can be reported; additionally, it is possible to give a counter example for ip: 

Lemma 20. Let s = {q,cr) be a state of a RN V such that s G Ry(so)? which 
violates the simple safety property ip. Let a be a minimal semi-order in LSLy(so) 
such that So Then there is an event e G Ea such that Aa(e) = tp, and for 

all e' G Ea we have e' <a e. 
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The minimal semi-order a from the lemma above is called a counter example 
to ip. 

An algorithm to determine counter examples is immediately at hand: We 
compute a shortest path = So> Si) • ■ • ) s™ through a CA A such that b) 

is defined and b contains this event e with Ab(e) = tip] the shortest path algo- 
rithm by Dijkstra P can be used for this purpose. Next we select semi-orders 
oi, 02, . . . , a„ such that Oi) = Si is defined for 1 < * < n, and build the 

semi-order c = oi Qy 02 ©p • • • ©y o„ ©y b. Now a is obtained by the restriction 
of c to the event set <~^{e). 

By a run-time error we mean the occurrence of the special value _L in some 
of the registers of a RN V. Run-time errors can be formulated as the simple 
safety property y(ri, r2, . . . , tn) = true, where Ry = {ri, r2, . . . , tn}- Note that 
the associated fact t^ is enabled only if x(tj(ri), cr(r2), . . - , <x{rN)) = -L for some 
reachable state S = (m, a) of V*. Note also: If p{n,r2, ■ ■ • , r„) is a simple safety 
property, and _L is assigned to one of the registers at some reachable state s, 
then p is violated at s, because t^ is enabled at s. 

8 Summary and Further Work 

Starting with the special requirements to model adequately PLC programs given 
in IL, we defined (resticted) register nets (RN’s), a variation of colored Petri net. 
RN’s are tailored to a concise description of the operational semantics of IL. In 
order to get both efficient analysis methods and comprehensive behavior descrip- 
tions, RN’s have been equipped with partial order semantics instead of the usual 
interleaving semantics. This gave us the chance to define the concurrent automa- 
ton (CA) as a semantic model for RN’s. CA have been designed to combine the 
advantages of partial order semantics and state based models. 

A generation algorithm for CA has been given. Finally, simple safety proper- 
ties were defined and an analysis method for those properties based on CA has 
been given. If a violation of such a property is detected, a counter example is 
available to give the software developer information on the system behavior in 
which the error occurs. Due to our partial order semantics, the counter example 
is given by a concise semi-word instead of one of its arbitrary serializations. We 
concluded with the observation that run-time errors are expressible as a special 
type of a simple safety property. 

However, the notion of simple safety properties is not powerful enough to cap- 
ture every relevant analysis question. In industrial applications, it is sometimes 
important to determine whether a PLC program is able to react ‘immediately’, 
i. e. within the next processing cycle. Recalling our case study from sectionQ, an 
example of a property of this type is: If the operator releases the switch, does 
the piston stop moving right after the next processing cycle is completed. 

Encouraging results of the available implementation of an algorithm for the 
construction of CA for safe Petri nets have been published in Our ongoing 
research focuses on an implementation of the approach presented in this paper 
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to determine run-times and memory efforts in practice. The analysis of more 
challenging examples is under preparation. 
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Abstract. The model of Stochastic Petri nets (SPN) with a product 
form solution (77-net) is a class of nets for which there is an analytic 
expression of the steady state probabilities w.r.t. markings, as for product 
form queueing networks w.r.t. queue lengths. In this paper, we prove new 
important properties of this kind of nets. First we provide a polynomial 
time (w.r.t. the size of the net structure) algorithm to check whether a 
SPN is a 77-net. Then, we give a purely structural characterization of 
SPN for which a product form solution exists regardless the particular 
values of probabilistic parameters of the SPN. We call such nets 77- 
nets. We also present untimed properties of 77-nets and 77-nets such like 
liveness, reachability, deadlock freeness and characterization of reachable 
markings. The complexity of the reachability and the liveness problems is 
also addressed for 77-nets and 77-nets. These results complement previous 
studies on these classes of nets and improve the applicability of Product 
Form solutions. 



1 Introduction 

Stochastic Petri nets (SPNs) are a powerful tool for modelling and evaluating 
the performance systems involving concurrency, non determinism, and synchro- 
nization, such as parallel and distributed systems, communication networks, etc. 
The stochastic semantics of SPN have been proven to be a Continuous Time 
Markov Chain and steady state analysis can thus be expressed as the solution of 
a system of equilibrium equations, one for each possible marking of their state 
space. The major problem in the computation of performance measures using 
SPNs is thus the size of the reachability set of these models that increases ex- 
ponentially both with the number of tokens in the initial marking and with the 
number of places in the net. As a consequence, the dimension of this reachability 
set and the time complexity of the solution procedure preclude, in the general 

* At time of writing, P. Moreaux was visiting professor at the Dipartimento di Infor- 
matica, Universita di Torino 
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case, the direct exact numerical evaluation of many interesting models. To cope 
with this problem, we can first accept non exact performance measures. The 
two main approaches developed in this area are discrete-event simulation and 
approximate methods. Bounds computation methods provide more reliable in- 
formation about the the performance indices. However, if we wish to obtain the 
exact values of performance measures, then we may improve numerical methods 
solving the underlying mathematical problem (linear or differential systems of 
equations) and/or we may relate the structure of the model to the properties of 
these underlying mathematical objects. 

One successful approach in this last direction is the product form analysis 
(PFA) for Queueing Networks (QN), that is the expression of basic performance 
indices of QN, such as steady state probabilities, mean throughputs, utilization, 
etc., as functions of the model parameters (service rates, routing probabilities, 
properties of the service stations, etc.). The first structural property involved in 
PFA is obviously the setting up of the model as a collection of service stations 
bounded with paths taken by “clients”. From this structure, PF solutions may 
be proven for several classes of QN by examination of sets of some kind of 
“local balance equations”, for instance equations established for each station. 
Second, specific descriptions of the state space of PF-QN lead to important 
relations. For instance, the convolution algorithms m and the Mean Value 
Analysis (MVA) method 0 are based upon recursive relations between models 
with state spaces with different number of clients. Unfortunately, (the standard 
version of) PF-QN offer limited possibilities for what concerns synchronization 
between clients activities. This situation was one of the main motivations 
in the study of Stochastic Petri Nets (SPN) with a Product form solution 
(PF-SPN). First results about PF-SPN were established in [El based on the 
structure of the reachability graph of the net. Recently, several authors proposed 
structural sufficient conditions for a Petri net to be a PF-SPN. These results 
are summarized in Section 0 The present paper supplements previous results 
for PF-SPN regarding four important issues. 



Membership Problem for SPN with PF solution. As we will see in Section 
0 a straightforward verification procedure for deciding whether a given SPN has 
a PF solution requires the computation of all minimal T-semiflows of the marked 
net (T-semiflows are structural invariants of Petri nets (PN), see Section |3). It 
is however known that the number of minimal T-semiflows can be exponential 
in the number of transitions (e.g., dl)- In fact, we establish a polynomial time 
algorithm to decide whether a SPN has a PF solution. 



Rate independent structural characterization of PF-SPN. Previous cri- 
teria for PF-SPN have two drawbacks: they are only sufficient conditions, and 
they involve properties of the rates of the transitions of the net. We present 
a necessary and sufficient structural condition on nets to admit a PF solution 
whatever the rates of its transitions. Hence we prove a rate-independent struc- 
tural characterization of PF-SPN. Moreover, this criterion can be checked in 
polynomial time. 
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Untimed properties of PF-SPN. We investigate untimed properties for the 
class of PF-SPN. Since many results (deadlock- freeness, liveness, etc.) have been 
established for several known classes of PN, it can be valuable to point out the 
relation between PF-SPN and these classes. 

Reachability Set properties. Efficient numerical solutions for PF-SPN re- 
quire to characterize subsets of reachable markings. It is hence important to 
have a structural criterion for reachable markings (e.g., a method based on the 
minimal P-semiflows, a method based on the net state equation, etc.). We present 
new results about these possible criteria. 

The organization of the paper is the following: in Section |21 we review SPN 
and previous results about 77-nets. Section 0 presents the verification procedure 
for PF-SPN and a series of results about the class of PF-SPN in relation to 
other classes of Petri nets. In Section 3.3 we define the new class, 77-nets, of PF- 
SPN corresponding to rate independent criteria for a PF solution together with 
globally dependent rates. Untimed properties of 77-nets are studied in Section 
El The conclusion summarizes results presented in the paper. 

2 Background and Notations 

2.1 Stochastic Petri Nets 

One may find introductory presentations of Petri net concepts for instance in 
llUl'iOlibl . We remind the reader only with definitions necessary to understand 
product form results for stochastic Petri nets. 

A marked stochastic Petri net is a 5-tuple SPN = {P,T,W, Q, mo), where 
V and T are disjoint sets of places and transitions (with \V\ = np and |T| = nt), 
W := {P X T)U {T X V) ^ JN defines the weighted flow relation: if W{j,i) > 0 
(resp. W{i,j) > 0) then we say that there is an arc from tj to pi, with weight 
or multiplicity W{j,i) (resp. there is an arc from pi to tj with weight W(i,j)), 
Q is the set of transition firing rates drawn from exponential distributions, and 
mo is the initial marking. 

For a given transition tj € T, its preset and postset are given by *tj = 
{pi I W{i,j) > 0} and tj * = {pi\ W{j,i) > 0}, respectively. In the same manner 
we can define the preset and postset of a given place. 

For any transition tj, from the weighted flow relation we can the define the input 
vector i{tj) = \W{l,j),W{2,j),...,W{\V\,j)] and the output vector o{tj) = 
\W{j,l),W{j,2),. . . ,W{j,\V\)\. From the weighted flow relation we can also 
define the incidence matrix C with entries C[i,j] = W{j,i) — W{i,j). 

A transition tj is enabled in a marking m iff m > i(tj). Being enabled, tj may 
occur (or fire) yielding a new marking m' = m-|-C[.,j] (C[.,j] is the _)th column 

tj 

of C), and this is denoted by m — >va.' . The set of all the markings reachable 
from mo is called reachability set, and is denoted by RS(mo). 

Semiflows are non-null natural annullers of C. Right and left annullers are called 
T- and P-(semi)flows respectively. A semiflow is called minimal when its support 
(i.e., the set ||s|| of the non-zero components of vector s) is not a proper superset 
of the support of any other, and the g.c.d. of its elements is one. 
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2.2 Previous Product Form Solution Results for Stochastic Petri 
Nets 

A class of SPNs characterized by the fact that the stationary probability dis- 
tribution of any net in this class can be factored into a product of terms has 
been introduced cma. Nets possessing this property are called Product-Form 
Stochastic Petri Nets (PF-SPNs) and are easily identified by the criteria pro- 
posed in mnm- 

Let xi,X2, . . . ,Xh denote the minimal T-semiflows found from the incidence 
matrix. The following definitions are essential to the analysis of the SPNs that 
have Product Form Solution. 

Definition 1. A subset of transitions T' (T' Q T) is said to be closed if 
Ui.g 7 -/i(tj) = alternative definition of a closed set of tran- 
sitions is the following: let TZ{T') = Ut^eT' Uo(tj)} be the set of input 

and output bags for transitions in T' ■ The subset of transitions 'T' is said to 
be closed if for any 1 G TZ{T') there exists ti,tj G T' such that 1 = i(fi) and 
1 = o{tj); that is, each output bag is also an input bag for some transition in T' , 
and vice-versa each input bag is also an output bag. 



Definition 2. Af is a 7T-net ifVtj G T there exists a minimal T-semiflow x 
such that tj G ||x||, and ||x|| is a closed set. 

In other words, Af is a II -net if all transitions are covered by closed support 
minimal T-semiflows. 

Example of II -net. Figure [IJa) shows a net satisfying Definition |3 We can 
see that there are two minimal T-semiflows Xi = [1,0, 1,0] and X2 = 
[0,1, 0,1], with llxijj = {^1,^3} and UX2II = {^2,^4}- We can observe 
that IJ i(tj) = {[1,0, 0,0], [0,0, 1,0]} = |J o(tj) and (J i{tj) = 

tjGlIxill L6||xi|| b6||x2|| 

{[1,1, 0,0], [0,0,0, 1]} = u o{tj). Both T-semiflows have closed support set. 

tjGlIxsIl 

Since any transition belongs to a closed support minimal T-semiflow, this net is 
a il-net. 

The definition of 77-nets was originally motivated while studying the prob- 
lem of finding product form solution for SPNs i2|7JUiq. More precisely, for 
the SPNs having the 77 property, there exists a positive solution for the traffic 
equations (see below). In a 77-net we denote by = {xi,X2, . . . ,xi| the set 
of closed support minimal T-semiflows. Among the minimal closed support T- 
semiflows, we can identify a relation that can be used to derive the PFS. Two 
different minimal closed support T-semiflows x' and x" are said to be freely re- 
lated, denoted as (x',x") G FR, if there exist tj G l[x'|| and th G ||x"|| such that 
i{tj) = i{th). The relation FR* is the transitive closure of FR. It is easy to see 
that the relation FR* yields a partitioning of the set of minimal closed support 
T-semiflows. Because any tj can belong to only one FR-class, the partition of 
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Fig. 1. Examples of 77-net s 



T-semiflows leads to a partition of transitions. In the following we denote by 
C{tj) the set of the partition to which transition t belongs. 

As for Queueing Networks, PF solutions for SPN are based on the anal- 
ysis of underlying Markov chains (MC). Instead of reasoning in terms of the 
MC with states as markings, it is more convenient to study an auxiliary MC 
with states being the input (or output) vectors i(t), called the routing pro- 
cess El of the SPN. The infinitesimal generator Q of this MC is defined by: 

with is 

the routing probability from a = i(tj) to b: it can be computed by examining the 
various transitions enabled after the firing of tj and is the usual rate of SPN 
transition th- For the sake of simplicity, we present all the results by assuming 
that the transition rates are marking independent. In m results are presented 
with several kinds of marking dependent transition firing rates. 

The traffic equations of the routing process are the global balance equations 
of this MC. Denoting with u(i(7j)) the so-called visit-ratio to node these 
equations can be stated as: 

Vtj-er, ^ v(i{th))P[i{th),iitj)] (1) 

th&T 



Boucherie and Sereno |2] showed that traffic equations and structural properties 
of a net are closely related. 

Theorem 1 (from (21). Let M = (P, T, W, Q, mo) be a SPN. There is a non 
null positive solution for the Traffic Equations (0) iffM is a Il-net. 

The existence of a positive solution for the Traffic Equations o is not a 
sufficient condition to assert a Product-Form Solution for the SPN. The following 
result from Coleman et al. 0 and El, states that the equilibrium distribution 
has a product-form over the places of the SPN whenever one additional condition 
holds. Let us denote f = v/ p, with v a solution for the traffic equations, and define 
the vector 'Wf = [rci, . . . , w„] as 



log 






,log 






• • • , log 



\f{o{tnt))J_ 



MVf = 



( 2 ) 
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There may be many functions / that derive from solutions for the traffic equa- 
tions. However each one is unique up to a multiplicative constant in each FR* 
class. This implies that the ratio f{i{ti))/f{o{ti)) is invariant. 

Theorem 2 (Product-Form for Equilibrium Distribution of SPN, 
(from ITUTTI D. Let f — v/fi with v a solution for the traffic equations. The 
equilibrium distribution for the SPN has the form 

np 

7r(m) = V m G RS{xao) (3) 

if and only if Rank(C) = Rank(\C \ wy]) where [C | wy] is the matrix C 
augmented with the row wj and G a normalization constant. In this case, the 
np-component vector r = [log(yi), . . . , log(?/„p)], satisfies the matrix equation 

—r.C = wy. 

It must be noted that, generally, the condition Rank{C) = Rank{[C \ wy]) 
depends on the rates of the transitions of the net and not only on the structure 
of the net. 



2.3 Examples of iJ-Nets 

Let us present two detailed examples of 7T-nets. The first one complements 
the study of the net of Figure CJa) and the second one shows a more complex 
situation about the rank condition of Theorem The reader will also find an 
example of an unbounded 7T-net in Section I4.;il 



Example 1. In this example we briefly review the procedure used to obtain the 
equilibrium distribution for the il-net depicted in Figure Da). For additional 
details the reader is referred to Since we know that the SPN is a 

U-net, there is a solution for the Traffic equations 0 : 



v{i{ti)) = v{i{t3)) v{i{t3)) = v{i{ti)) 

v{i{t2)) = ?^(i(t4)) ^^(i(^4)) = t’(i(i2)) 

One solution is ?;(i(ti)) = 'c(i(t 3 )) = 'c(i(t 2 )) = ^^(i(0)) = 1> from which we 
obtain /(i(<i)) = l/pi, /(i(0)) = /(i(0)) = 1 /^ 2 , and /(i(0)) = 1/M4- 

The row vector wy is: 

w/ = [log(/(i(ti))//(i(t3)), log(/(i(t2))//(i(t4))), log(/(i(t3))//(i(b))), 

log(/(i(t4))//(i(t2)))l = [log{p,3/pi)Aog{p,i/p2),\og{p.l/p.3),1og{p,2/pi)] 



The rank condition Rank{C) = Rank{[C \ wy]) gives us: 



/-l-l 1 1\ 

0-101 
10-10 
\ 0 1 0 - 1 / 



= Rank 



/-l-l 1 

0-1 0 
1 0 -1 
0 10 



1\ 

1 

0 

-1 



y Wi W2 W3 Wi j 



Rank 
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The rank condition holds independently of the rate values because we can eas- 
ily verify that -|- W3 = 0 and W2 + = Q since log (^17)+ log (m) “ 

log j = log(l) = 0 and similarly for W2 + W4, = 0 . 

Since theorem | 3 applies, we can obtain the expression of 7r(m). To this end, 
we first solve the matrix equation r.C -h wj = 0 , that is to say: 

— ri -I- T3 -I- wi = 0 ri — T3 -I- W3 = 0 

—Ti — r2 + + W2 = 0 ri + r2 — T 4 + W4 = 0. 

Then, setting ri = r2 = 0 , we obtain r3 = and r4 = W4 from which we derive 
{n = log(yi)), j/i = j/2 = 1 , 2/3 = /^i//i3, and 2/4 = ^2/^4- Hence the equilibrium 
distribution of the SPN of Figure a) is 7 r(m) = j (^) 



Example 2 . The SPN shown in Figure Q^b), taken form |Zj, represents an SPN in 
which the rank condition is not satisfied independently of the rate values. The 

/ — I 2 —2 l\ 

incidence matrix C is given byC=( ^ ^ ^ This SPN is covered 

by four minimal T-semiflows whose support sets are ||xi|| = {ti,t4}, ||x2|| = 
{^2,^3}, ||x:3|| = {2ti,t2}, and ||x4|| = {23,224}. Only xi and X2 are closed, but 
they cover T so that the SPN satisfies Definition Then the SPN is a il-net 
and hence there exists a positive solution for the traffic equations. In particular 
we obtain /(i( 2 i)) = for 2 = 1 , . . . , 4 . The vector wy is given by 



Wf= 



iogf /(K*2)) \ iog{ /(i(«3))\ iogf /(K*4)A 



log (^\ log log log 
VMl/ VM2/ \M3/ VM4. 



'20 



'20 

'VT's. 



The augmented matrix [C | wy] is row equivalent to the fully row reduced 

1 0 0 0 \ 

matrix | —1 0 0 0 . The rank conditions are W2-l-2r(;i = 

wi W2 + 2wi 1V3 — 2wi wi + W4 I 



= 1 , 



0 , W3 — 2 tci = 0 , and Wi + W4 = 0 , which implies, ( /(Ho)) ) 

(tMtiTt) ~ 1 = 1 respectively. The first and second conditions 

are the same and arise because there is more than one way to produce the same 
change of marking. Substituting for the function /, the rank condition becomes 

aS ~ (m) ■ condition is met, theorem El applies, and, letting 2/2 = 1 

gives 2/1 = Finally, 7r/(m) = 
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3 The Class of 77-Nets 

In this section we are interested in structural properties of 77-nets. We present 
first an important result which allows one to check, in polynomial timeQ , whether 
a given SPN is or not a 77-net. Then, trying to position the class of 77-nets with 
respect to classical structural classes of PN, we show that there is no simple 
relation between these classes and 77-nets. 

3.1 Membership Problem 
Algorithm Verify 77-net 

fail false 

repeat 

let t G 71 
{t} 

In ^ {i(t)} 

Out {o(t)} 

while 3t' G C s.t. i(7) G Out do 

A A1J{7} 

C^C\{t'} 

In ^ In\J{i{t')} 

Out <— OutlJ{o(t')} 
endwhile 
fail ■(— {In Out) 

/* if notfail then A is a FR* class */ 
until 71 = 0 or fail 

/* fail is true iff the net is not a 77-net */ 

From the definition of 77-nets we can decide if a given net falls in this class. 
The problem that arises is the complexity of a straightforward application of 
Definition |3 because the number of minimal T-semiflows can be exponential in 
the number of transitions (e.g., HZ!)- We present now an algorithm that allows 
to recognize whether a net is a 77-net in polynomial time. The soundness of the 
algorithm is based on the following lemma (see ^ for the proof). 

Lemma 1. 7/x is a closed support minimal T-semiflow then (i) for each transi- 
tion ti G ||x||, x[7] = 1 (x[7] is the i-th component of:x.). (ii) ||x|| may be ordered 
as {tj^Aji,---Ajh-i) such that o{tj.) = (for i = 0,1, . . . ,h - 1), 

and l(fz I' ^ i(^7i) ih 

Algorithm for 77-net membership. The previous lemma states that a closed sup- 
port minimal T-semiflow can be seen as a cycle of transitions tjg,tj.^, . . . 
such that o(tj.) = (for z = 0, 1, . . . , — 1). The algorithm Verify 

77- net exploits this feature for checking if a net is a 77-net. 



^ Unless explicitly mentioned, all complexity results in the paper are w.r.t. the size of 
the net, i.e. the number of places, transitions, arcs and the binary representation of 
valuations. 
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We point out that the algorithm yields a covering set of closed support min- 
imal T-semiflows (if the SPN is a 7T-net). From then we can derive the routing 
probabilities and the partitions of the set of transitions T into FR*-classes. 

From simple considerations we can see that both the inner and the outer 
cycles require 0(|T|) steps. Hence the complexity of the algorithm that allows 
to recognize if a given net satisfy Definition |2| requires 0(|Tp) steps. 

3.2 JT-Nets and Other Classes of PN 

As usual for Petri net models, it is interesting to examine whether it is possible 
to structurally characterize behavioural properties of these nets and to deduce 
efficient checking of these properties. Since this is the case for some well known 
subclasses of nets, we first recall such subclasses and we compare 77-nets with 
them. For completeness, results include the class of 77-nets which are introduced 
in section 3.3. 

The following classes of Petri nets are particularly interesting for the analysis 
of behavioural properties: 

— A state machine (SM) is a Petri net with binary valuations where any tran- 
sition has exactly one input and one output place. 

— A marked graph (MG) is a Petri net with binary valuations where any place 
has exactly one input and one output transition. 

— A weighted transition system (WTS) is a Petri net where any place has 
exactly one input and one output transition (MG are special case of WTS). 

— An extended free-choice net (EFG) is a Petri net with binary valuations 
where two transitions, sharing an input place, have the same set of input 
places. 

Proposition 1. Comparing II -nets with some classical subclasses of Petri nets, 
we have: 

— If Af is a WTS and a II -net, then it is hehaviourally equivalent to a MG. 

— Every SM is a U-net (and even a Il-net). 

— There are MGs which are not II -nets. 

— There are II -nets (and even II -nets) which are non EEC nets. 

Proof. Figure 2 explains the conversion from a WTS 77-net to a MG: in (a) we 
change the weights of arcs connecting isolated places {k = wi — W 2 ); in (b), we 
observe that any weighted 77-cycle is just equivalent to an ordinary cycle. 

As a straightforward consequence of the definitions, every SM is a 77-net. In any 
SM, r vectors are Ip : null components except on component p, input or output 
place of a transition t. Taking = r for each r, we see that a SM is also a 77-net 
(see below for definition of 77-nets). 

A net with an idle place followed by a parbegin-parend with intermediate action 
is a MG but not a 77-net. Note however, that any 77-net MG is a union of disjoint 
cycles, hence a 77-net. 

Finally, we will see that the net of Example 1 (Figured) a)) is a 77-net, and it is 
clearly not an EFG. 
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(a) 




(b) 
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Fig. 2. Conversion of WTS Jl-nets into MGs 



3.3 JT-Nets 

In this section we define the class of 7T-nets which are exactly the set of 7T-nets 
having a PF solution for any stochastic specification in contrast with previous 
results whose criteria are dependent on rates of transitions (see Example 2). 
Moreover, we introduce a more general dependency of the firing rates of transi- 
tions with respect to the global marking of the net system. 

Definition of JJ -Nets. Criteria found by several authors since the late 80’s for 
PF solution of SPN are only sufficient conditions, and moreover, they are made 
up of structural conditions and conditions on the stochastic parameters of the 
SPN. In search of a pure structural characterization of PF solution SPN, we were 
led to fully reconsider the concept of “virtual client state” of a il-net system 
in the context of routing processes and to deeply analyze how to characterize 
these states. In previous works, T-semifiows identify concurrent “virtual clients” 
activities. These activities are “synchronized” by conflicting resources allocation, 
that is shared input places of transitions. For what concerns places, they are 
usually interpreted either as specific resources or as clients. But, indeed, this 
interpretation does not allows us to express the PF property at a structural 
level because virtual client states do not reduce to place markings, even in a 
77-net. For instance, in the example net 1 (figure [T](a)), we may think of ti,P 3 , fa 
as batch jobs processing (activity 1), and of ^ 2 7 7*4 7 ^ 4 ; 7*2 as interactive work of 
users (activity 2). The place pi, modelling processor resources, cannot, alone, 
characterize the “idle” batch jobs state. This is the crucial point: in a 7T-net, 
we have no information about the state of the virtual clients in the net system 
and this is the main reason which prevents us to state a necessary and sufficient 
condition for the existence of a PF solution. Actually, we have found that virtual 
client states are characterized by a relation v.C = r, where v is a vector on places 
and r is a vector such that r[f] = 1 if 7 adds a client to the “state”, r[7] = — 1 if 7 
removes a client and r[7] = 0 otherwise. The 77-net property expresses, by means 
of rational vectors ar, the relation which must hold between virtual clients states 
of a 77-net and input /output vectors of the net, to ensure that this 77-net has a 
PF solution. 



174 



S. Haddad et al. 



Moreover, this explicit relation on states of virtual clients allows us to model 
the dependency of the firing rate of a transition tj with respect to the global 
state of the system in parts (activities) of the net not related to the input/output 
vectors of transitions belonging to C{tj). This kind of dependency, introduced 
by functions Pc{tj) in th® definition below, cannot be taken into account in the 
framework of il-nets. 

For the rest of this section, we set: *r = {tj S T | o{tj) = r} and r* = {tj G 
T I \{tj) = r} for every r G 7?.(T). 

Definition 3 (7T-net). A U-net (^restricted U-net) is a U-net such that for 
every r G TZ{T), there exists G such that 

( I if tj G *r 
ar-C[P,j] = S -1 G r* 

[ 0 otherwise 

where C is the incidence matrix of the net (note that this excludes transitions 
th with i{th) = o{th)). _ 

The firing rate of a transition tj of a U-net system in the marking m is given 
by 

p{tj,m) = fi{i{tj)).pc(tj) ((ar».m)r»^c(t,-)) -P[i(ij), o(tj)] (4) 

Positive, real valued functions Pc{tj) {i^r" ■T^)r"^c(tj)) niake possible a homoge- 
neous dependency of the transitions of the component C(tj) w.r.t. the state of 
the virtual clients in the other components, given by the ar//.m (see example 
below) . 

Note that the computation of the rational vectors ar (or else the proof that 
there are no such ar), may be achieved in polynomial time with respect to the 
size of the net through a usual Gaussian elimination (but restricted to rational 
numbers). 

The net of Example 2 is an example of a U-net which is not a il-net(see its 
incidence matrix in Section E3. Let us set ri = {pi}, so that *ri = {^ 4 } and 
r* = {ti}. If we try to define the vector ar^ = [a, &], we get a — 6 = 1 (since 
t 4 G *ri) and a — b = 0 (since t 2 ^ *ri IJ r*). Hence, ar^ does not exist and this 
SPN is not a U-net. In fact, t\ and t^ have proportional input and output bags 
but belong to different T-semiflows and no distinction between these transitions 
is possible from ri = [ 1 , 0, 0, 0]. 

The U-net of Example 1 (see Section O is a U-net. We have four input 
vectors r, belonging to two classes: C\ = {ri = [1,0,0, 0 ],r 3 = [0,0, 1,0]}, C 2 = 
{r 2 = [1, 1, 0, 0 ],T 4 = [0, 0, 0, 1]}. The ar vectors are 

arr = [0,0,-l,0] ar3 = [0,0,1,0] 
ar, = [0,0, 0,-1] ar, = [0,0,0,1] 

Let us assume that the rate of t^ depends on the load of t^ in such a way that 
if the marking of p 4 is greater than K 4 , t^ cannot fire (because no more resource 
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is available for instance) . Moreover, suppose that the rate of t4 decreases linearly 
from fiM to fj-m with the marking ofp4 varying from 0 to K 4 . Then we can define 

, . _ J 0 if m[pi] > Ki 

Pc(H) Uar».mjr-^c(t)j I if 0 < m[p4] < 

since ar4.n1 = m[p4] and we have still a PF steady state distribution. 

Due to lack of space, we present in the rest of the paper, results without 
functions Pc{t)- The reader will find full version of the results in the technical 
report HD]. 



Sufficient condition for PF-SPN. We first establish a sufficient condition 
for a 7T-net to have a PF steady state distribution, whatever the parameters (i.e. 
rates of transitions) of the stochastic specification of the SPN. 

Theorem 3. Let {'P,T,W, Q,mo) be a II -net. Then, for any transition rates, 
the steady state distribution of the SPN has the product form 



1 



-(”) = §■ n VMr) 

arG 7 ?,(r) ^ 



u r 



V m G i?S'(mo), 



( 5 ) 



where G is a normalization constant and v is a solution of Equations HD- 

Let us remark that this product form expression induces, of course, a product 
form with respect to m, since: 



n 

r€n(T) 



M(r) 



n n 

r&n(T) Piev 



P(r) 



.[i].m[z] 



n 

PiGP 




m[i] 



Sketch of proof We give only a sketch of the proof (see m for a detailed 
proof). The starting point is the so-called the Group Local Balance Equation for 
a marking m with respect to a given vector r which is a splitting of the equilib- 
rium (Chapman-Kolmogorov) equations of the Markov chain with markings as 
states: 



7^(m) ^ q{m,m-i{tj)-\-o{tj)) = Tr{m-\-i{th)-o{t,,))q{ni-\-i{th)-o{th),ni] 

tjGr* tfcG*r 

( 6 ) 

Then using the expression of the rates q, we introduce the proposed expression 
and after simplification, we get: 



= E n 

tfeG*rr'G7?,(r) 



p{r') 



.(i(th)-o(tfe)) 






( 7 ) 



From i(t/j) — o(t/,) = —C[V, h] and the definition of ar, (13 can be shown equi- 
valent to the Traffic Equations dO- 
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Necessary condition for PF-SPN. The result of this section proves that the 
concept of 7T-net is the adapted one to capture the existence of a product form 
like the one of Theorem 0/or any stochastic specification of a 7T-net. Combining 
Theorems |3 and ^ the “U-net property” appears as a necessary and sufficient 
structural condition for a net to have a product form steady state distribution 
for any transition rates. 

Theorem 4. Let {V,T,W, Q, mo) be a U-net and v a solution of the Traffic 
Equations. If there is a family {sLr)r£n{T) rational vectors such that the dis- 
tribution 



7T(m) = -. n 
r€n(T) 



Ai(r) 



V m G 



satisfies the Group Local Balance Equations ® for any (M(i"))rG7?.(T)> then we 
have 

( 1 iftj G *r 

Sr • C[P,j] = < -1 tftj e r* 

[ 0 otherwise 

Sketch of proof (see m for a detailed proof). The Group Local Balance 
Equations for a given m with respect to a given r are (see (O) 

= E n 

tje*rr'G7?,(r) 



v{r) 






( 8 ) 



since aj./.{i{tj) — o{tj)) = — ar'.C[P, j]. 

The idea is to express (0 as a multi-variables identically null “polynom” (i.e. 
extension of multi- variables polynom, with real valued exponents instead of inte- 
ger) on IR^ and to deduce the claimed properties of the r vectors from properties 
of the coefficients of this “polynom” . To this end, we introduce the vectors with 
np components j{tj) and 70 in the following way: 



7(i,)[r'] 



ar'.C[P,j] ifr'yfi(tj) 
ar'.c[p,j] -k 1 ifr' = i(tj) 



and 7o[r'] 



1 if r' = r 
0 otherwise 



Using these vectors, transformation of Equation ® provides a “polynom” with 
variables /r(r'). Via a technical result, it can then be shown that for all tj, the 
set {tj I 7(tj) = 7 7 q} is empty, so that Vtj G *r, 7(ty) = 70. The result 

then follows from the evaluation of the numbers ar'.C['P,j]. m 



4 Functional Properties of PF-SPN 

Although 7T-nets and il-nets are not easily comparable to standard classes of 
PN, they nevertheless enjoy specific qualitative properties. This section first 
reviews liveness and deadlock freeness in 7T-nets; second, some results about the 
complexity of the reachability and liveness in iT-nets and il-nets are presented. 
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Finally, we expose results about the characterization of reachable markings in U- 
nets. Since we need to distinguish between structural and behavioural properties 
of (S)PN, in this section, we denote hy Af = {V,T, W, Q) a SPN and by 17 = 
(Af, mo) a marked SPN (also called SPN system) with initial marking mo- 



4.1 Some Behavioural Properties of iJ-Nets 

Liveness is an important property of Petri net systems. Due to importance of 
T-semiflows in 7T-nets, it is not surprising that liveness in 7T-nets systems enjoys 
particular properties that we present below together with related results. The 
following lemma is a direct consequence of Proposition E 

Lemma 2. Let E = (Af, mo) be a II -system. If t G T is enabled at m G 
RS(mo), then, 

(1) all transitions of all minimal closed support T-semiflows to which t belongs 
can be fired. 

(2) there is a firing sequence that fires all the remaining transitions in the FR*- 
class of t. 



Proposition 2. Let E = (Af, mo) be a II -system. 

1. IfBtGT, enabled at mo then E is deadlock-free (DF). 

2. E is reversible. 

3. Af is structurally live (SL). 

J^. If there is an enabled transition in any FR*-class in the initial marking, then 
E is live. The converse is false. 

5. If E is live then E' = (Af, mj,) with mo < mj, is live too (i.e., liveness is 
monotonic w.r.t the initial marking in the net). 

Proof. We only give the detailed proof of (0. 

If mo is not a deadlock marking, for any m G RS(mo) there is a finite firing 
sequence cr = , . . . , tg, such that mo )mi . . . mi„i [ts,)m. Now we prove 

that there is a finite firing sequence f] such that m[? 7 )mo. Let x be a closed 
support T-semiflow (not necessarily minimal) such that x > cr. Since x is a 
linear combination of minimal closed support T-semiflows, it follows from Lemma 
13 that from m, x — cr must be Arable and hence m[x — cr) mo. 

Reverse of II -net. Finally, the next proposition addresses properties of the 
reverse net of il-nets. The reverse net of a Petri net Af = {V, T, W) is 
Af^~^'> = that is, the net with same places and transitions, but 

reversed arcs {i, j) = w{j,i)). Note that = Af and that the 

incidence matrix of is —C. 

Proposition 3. Let Af be a IT-net, E = (Af, mo), and E^~^^ = mo). 

1. The reverse of a FI-net (resp. FI-net) is a IT-net (resp. II -net). 

2. E is deadlock free iff E^~^'> is deadlock free. 

3. The reachability graph of is the reverse of the reachability graph of E. 

4-. E is live iff E^~^'> is live. 
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Proof. For space savings, we only develop proof of ©• If mo is not a dead- 
lock marking, then from Proposition 0 ( 0 ) and m, E is reversible. But in 
any reversible Petri net, the announced property holds. Indeed, we have first 
= RS(i7). Let m € RS(I7). Since E is reversible, there is a firing 
sequence r such that m[T)mo. Therefore, in where is 

r with “reversed” transitions. Now, let in E. We have m' € RS(E^~^^) 

and, obviously, We have proven that the reverse of the reachability 

graph if is a partial graph of E^~^\ The result follows, applying the same proof 
to if(-i). 



4.2 Complexity of Liveness and Reachability Problems for 77-Nets 
and 77-Nets 

Condition (0) in proposition 0 is only a sufficient condition. In fact, checking 
liveness seems no more easy for 7T-nets, and even l-safe0 77-nets, than for many 
other classes of Petri nets. We have shown in Section rm that the complexity 
of the computation of FR*-Classes is polynomial time. But checking liveness 
requires to verify that each FR*-class is live. If some FR*-class is not initially 
Arable, this is still a very complex problem. Indeed the next lemma gives some 
insight into this point. We recall that for general Petri nets, Lipton’s result 
in implies a 2^^^^ lower bound space complexity for the liveness problem 
(see m for recent surveys on decidability problems for Petri nets). In fact, 
we are able to give more precise results, although the exact complexity of the 
reachability/liveness for 77-nets still remains an open problem. 

It has been shown in jOj that the liveness problem for 1-safe nets is PSPACE 
complete. The next lemma gives a lower bound of the problem for 1-safe 77-nets. 

Proposition 4. The liveness problem for 1-safe II -nets is NP-hard. 

Proof. To prove it, we reduce in polynomial time the 3SAT problem to the 
liveness problem for 77-nets, following the idea first presented in ^3]. The 3SAT 
problem is a well known NP-complete problem. We have K logical formulae 
Cl, • • • , Ck, each one being a disjunction of three boolean variables Vi or their 
negation {—Vi), from a set of 7 variables: for instance, V —v^ V Vq. The 

3SAT problem is: is there a set of values for ui, • • • , u/ such that Ci AC 2 A - • -ACk 
is true? We explain the reduction through the example Ci = A —V 2 A U 3 , 
C 2 = U 2 A U3 A V4 {K = 2, 7 = 4) (Figure 0 ). 

For each variable Vi, we have two places pi and p-i and two transitions ti 
and t-i. Arcs between places and transitions for Vi are as indicated in the figure. 
We have also K sets of places pck,i (the introduction of several places for each 
C formulae ensures 1-safeness). If Vi is in Ck (like V 2 and C2) there is an arc 
from t-i to pck,i and one arc from pcki In contrast if —Vi is in Ck (like 

—V 2 in Cl), these arcs are reversed. Otherwise, there is no arc between T, t-i 
and place pCki- Places detailed in the right dotted part ensure that the place 
PCk will contain at most one token {pc 2 x is a mutex place). Finally, we have one 

^ A 1-safe marked Petri net is a (bounded) marked net with at most one token in 
every place of every reachable marking 
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Fig. 3. Reduction of 3SAT to liveness in 1-safe 77-nets 



transition 7^,i (for Success) and we added place Ps and transition ts 2 to have a 
7T-net and not only a 77-net. 

We can easily verify that the net is a 1-safe 77-net. The initial marking is 
chosen as follows: if Vi is true, there is one token in pi and one token in place 
PCki if is in Ck', if Vi is false, there is one token in p-i and one token in place 
PCki if i® i>^ C'fc. In our example, we take v\ = V 3 =false, V 2 = V 4 =true. 
Clearly the formula is true for a given set of boolean values of variables if the 
transition tgi is live and the same for the reachability of a marking with one 
token in ps . 

Thus, there is still an open problem for 77-nets since the upper bound of 
complexity for general Petri nets is in PSPACE. By contrast, the next proposition 
provides an exact characterization of the complexity of the problems for (1-safe) 
77-nets. This distinctive result strengthens the specific character of the 77-nets 
class. 

Proposition 5. (1) The liveness and the reaehability problems for Tsafe II- 
nets are PSPACE complete. 

(2) The reachability problem for Il-nets is EXPSPACE-complete. 

Proof. Due to lack of space, we only address the claim (2). For symmetric nets 
systems, we know that the reachability problem is EXPSPACE complete. 
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A net is symmetric iff for every transition t, there is a “reverse” transition t' 
whose firing “undoes” the effect of the firing of t, i.e., the input places of t are 
the output places of t' and vice versa. Symmetric nets are clearly 7T-nets. Thus, 
the reachability problem is EXPSPACE-hard for 7T-nets. But any U-net defines 
implicitly a symmetric net: for any transition t, we may add a reverse transition t' 
without changing the resulting reachability graph, because the closed T-semifiow 
(without t) of transitions to which t belongs acts exactly as t' when fired in a 
cyclic way. Thus, the reachability problem for 77-nets is reducible to the one for 
symmetric nets, hence in EXPSPACE, and finally EXPSPACE-complete. 



4.3 Algebraic Properties of PF-SPN 

The availability of a product form equilibrium distribution allows the develop- 
ment of computational algorithms that are analogous to those developed for 
product form solution queueing networks (e.g, mEH). For instance propos- 
als for algorithms for the computation of performance measures throughout the 
normalization constant calculus can be found in |7I^ . In HI a set of Arrival 
Theorems, similar to the analogous results developed for product form solution 
queueing networks was proven, leading to a Mean Value Analysis (MVA) 
for the computation of performance measures for PF-SPNs. MVA for SPNs was 
also studied in 1^ . 

This last section discusses reachability markings properties related to the so- 
lution of PF-SPN. For the development of computational algorithms for PF-SPN, 
the reachability set (RS) of the SPN must be partitioned according to certain 
criteria depending on the particular algorithm. For instance, the normalization 
constant computation algorithm requires a partitioning of the reachability set 
that groups together all the markings with a constant number of tokens in a 
given place. It is then important to know if reachable markings of a 77-net sys- 
tem may be characterized, among all markings, by some specific criterion based 
on their value and structural elements of the net. The most common such criteria 
are the so-called state equation and the one based on the minimal P-semiflows 
of the net. The difficulty then lies in the quality of those criteria, i.e. whether 
they allow to select all reachable markings and, only reachable markings. 

Let us recall that the state equation m = mo -I- C.cr is an algebraic equation 
that gives a necessary condition for a marking to be reachable. The set of vectors 
m G IN^P such that 3 cr G IN"* : m = mo 3- C.cr is called the Potential Reach- 
ability Set (PRS) of the net. Obviously, RS(mo) C PRS(mo). In the literature, 
there are several proposals of computational algorithms for PF-SPN. They use a 
reachability characterization based on the minimal P-semifiows. Therefore, an- 
other set of “potential” markings has been defined. Let B be the matrix whose 
rows are the set of minimal P-semifiows of the net. The Potential Reaehabil- 
ity Set with respeet to B is the set PRS^(mo) = {m | B.m = B.mo}. Clearly, 
PRS(mo) C PRS^(mo) since B.C = 0. 

An unreachable marking belonging to one of these PRS is called a spurious 
marking (see | 22 | for a detailed study of several kinds of PRS). We show below 
that, unfortunately, none of these two characterizations is able to capture all 
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Fig. 4. i7-net and potential reachability: (a) PRS(mo) 7 ^ PRS®(mo), unbounded (b) 
and bounded (c) 77-systems with spurious marking 



the peculiarities of PF-SPN, that is to say that there are 7T-net with spurious 
markings for PRS (thus for PRS^). 

First we may have PRS(mo) yf PRS^(mo) in 7T-systems. This happens even 
in such simple case as the 7T-cycle of Figure Ef a): the dead marking mi = [1, 1]^ 
has the same dot-product with the P-semiflow Y = [1, 1]^ as the live one mo = 
[2, 0] although there is no cr £ TV"* satisfying the state equation mi = mo + C.cr. 

For what concerns the characterization of the reachability set of a 77-net in 
terms of potential reachability set, the proposition below (we omit the proof for 
sake of place) provides a rather positive result, but we give next, two examples 
which prove that properties of 77-nets are not strong enough to prevent the 
existence of spurious markings. 

Proposition 6. With respect to the state equation, 

(1) The potential reachability graph of (Af, mo) is equal to the reverse of the 
potential reachability graph of ,m.o) . 

(2) Spurious markings (if they exist) cannot be transient, i.e., ifm £ PRS(mo)\ 
RS(mo), then there is no firing sequence cr such that m[(r)m' with m' £ RS(mo). 

The net of Figure 0(b) gives the first negative result. For the unbounded 77- 
net it is possible to see that m = [0, 0, 0] is a spurious marking. We can see that 
for any initial marking mo = [fci, /C2, ^3], mo[ti*)mi = [0, ki + k 2 , ki + 

)m2 = [0,0,2fci + k 2 + ks]. Setting k = 2ki + k 2 + k^ we have m2 [(7372)^”^ 
)m3 = [0,0, 1]. Now “firing” t 2 tz the null marking is spuriously reached. 

The net of FigureE|[c) gives another and definitive negative result. This 77-net 
is bounded but it is possible to see that m = [0, 0, 1, 0, 1] is a spurious marking. 
Indeed, from the initial marking mo = [0,1, 0,0,1] and with the “firing” of 72 
we obtain the marking [0, 0, 1, 0, 1] that it is not a reachable marking. Hence we 
have m £ PRS(mo) but m ^ RS(mo). 
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5 Conclusion 

SPN with PF solution have been introduced some years ago as an extension of 
closed form solution methods of QN to SPN which allow to model systems with 
more complex synchronization schemes. In this paper we have presented four 
groups of new results giving a better insight in PF-SPN and allowing an effi- 
cient handling of this class of nets. We have first established a polynomial-time 
algorithm to check if a given SPN is a PF-SPN. This is an interesting result, in 
contrast with the general computation of T-semiflows which may produce an ex- 
ponential number of T-semiflows (with respect to the size of the net). Then, we 
have proven a rate independent structural characterization of PF-SPN, which can 
also be checked in polynomial time. We call 7T-nets the subclass of 7T-nets satis- 
fying this criterion. Moreover, for il-nets, we are able to define transition rates 
globally dependent of components of the net “not related with” the considered 
transition, so that we can model complex dependency of activities on some other 
ones. Third, we have investigated untimed properties for the class of PF-SPN. 
We have shown that 77-nets, and even 77-nets do not fit in any standard class 
of PN. Nevertheless, we have proved specific properties for deadlock-freeness, 
liveness and reverse nets for 77-nets. For what concerns liveness/reachability in 
77-nets and 77-nets, we were able to somewhat refine complexity bounds known 
for general PN. Finally, with examples and one proposition, we have given some 
answers, both positive and negative, to the problem of potential reachability, i.e. 
reachability based upon structural properties of the net. The interested reader 
will find detailed proofs and full versions of results in cni. 
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Abstract. This paper presents new results concerned with liveness, 
liveness of a subset of transitions and deadlock in Petri nets. Liveness 
is seen as a particular case of what we call T-liveness: all transitions 
in the set T are live. The hrst results characterize the relation between 
supervisors enforcing liveness and T-liveness with supervisors preventing 
deadlock. Then we introduce a class of Petri net subnets allowing us 
to extend two well known results. Specifically we generalize the result 
relating deadlock to siphons and the extension to asymmetric choice 
Petri nets of the Commoner’s Theorem. We conclude by considering 
how the theoretical results of this paper can be used for deadlock 
prevention, least restrictive deadlock prevention and least restrictive 
T-liveness enforcement. 

Keywords liveness, deadlock, synthesis of liveness supervisors, struc- 
tural properties of Petri nets. 



1 Introduction 

In this paper we consider three supervisory problems: deadlock prevention, live- 
ness enforcement, and T-liveness enforcement, where the latter denotes enforc- 
ing that all transition in a transition subset T of a Petri net are live. Deadlock 
prevention corresponds to preventing the system from reaching a state of total 
deadlock. Liveness corresponds to the stronger requirement that no local dead- 
lock occurs, or in other words, all transitions are live. T-liveness means that all 
transition in the set T are live. It is useful in problems where some transitions 
correspond to undesirable system events (such as faults). 

A way to study the liveness properties of a Petri net uses the reachability 
graph. However this approach can only handle bounded Petri nets, needs the 
initial marking to be known, and due to the state explosion problem, requires 
reasonably small Petri nets. Unfolding has been proposed to reduce the com- 
putational burden 0, however the other two limitations remain. In this paper 
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we consider the structural approach to the liveness problem. The structural ap- 
proach relies on the algebraic properties of the incidence matrix. Thus the initial 
marking is regarded as a parameter and unbounded Petri nets can be tackled. 
Our work has been inspired by the incidence matrix properties of repetitive Petri 
nets (e.g. cni). Related work includes presenting among others an extension 
of the relation between deadlocked Petri nets and siphons for generalized Petri 
nets, and a generalization of the extension to asymmetric choice Petri nets of 
the Commoner’s Theorem. However, our supervisory perspective, our concern on 
T-liveness and our consideration of arbitrary Petri nets, including nonrepetitive 
Petri nets, differentiate this paper from previous works. 

The contribution of this paper is described in sections El E] and the appendix. 
To the authors’ knowledge, all results presented in these sections and the ap- 
pendix are new, except for part (b) of Proposition El 

We begin in section Id.ll by characterizing the relation which exists among 
deadlock prevention, T-liveness enforcement and liveness enforcement. Thus we 
answer the following questions: (a) Which are the Petri nets in which deadlock 
prevention, or T-liveness enforcement, or liveness enforcement is possible? and 
(b) When deadlock prevention is equivalent to T-liveness enforcement or live- 
ness enforcement? We answer question (a) in Propositional and question (b) in 
Theorems El and El Theorem El considers the case of the deadlock prevention su- 
pervisors which are not more restrictive than liveness or T-liveness supervisors; 
Theorem El considers the general case. We conclude the first part of the paper 
with Theorem El which states that the transitions of a Petri net can be divided in 
two classes: transitions which can be made live under an appropriate supervisor 
for some initial markings, and transitions which cannot be made live under any 
circumstances. Theorem El is very important for the theoretical developments 
which follow in the remaining part of the paper. 

The most important part of the paper is section E3 In this section we show 
how to characterize Petri nets for deadlock prevention and liveness enforcement 
based on a special type of subnets. Thus we begin by defining what we call the 
active subnets of a Petri net. Then we define a special class of siphons, which we 
call active siphons. Proposition El is a necessary condition for deadlock which gen- 
eralizes the known result that a deadlocked ordinary Petri net contains an empty 
siphon. Proposition El is a further extension, as it gives a sufficient condition in 
terms of empty active siphons for deadlock to be unavoidable. Commoner’s The- 
orem on free-choice Petri nets has been extended to asymmetric-choice Petri nets 
|E]; see also p. We further extend the result in Theorem 0 we show that each 
dead transition is in the postset of an uncontrolled siphon. Then in Theorem 
El we give a necessary and sufficient condition for T-liveness in an asymmetric 
choice Petri net. Polynomial complexity algorithms for the computation of the 
active subnets are included in the appendix. 

We conclude our paper with section 0 which shows the significance of our 
results for deadlock prevention and liveness enforcement. Examples are included. 
In sections tt. II and I4.,''il we consider deadlock prevention and T-liveness enforce- 
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ment. In section O we include Theorem 0 which shows how to do least restric- 
tive deadlock prevention. 

2 Preliminaries 

We denote a Petri net hy Af = (P, T, P, W), where P is the set of places, T the 
set of transitions, F the set of transition arcs and W the transition arc weight 
function. We use the symbol ^ to denote a marking and we write (Af, / tq) when 
we consider the Petri net Af with the initial marking The incidence matrix 
of a Petri net is denoted by D, where the rows correspond to places and the 
columns to transitions. Also, by denoting a place by pi or a transition by tj, we 
assume that pi corresponds to the Pth row of D and tj to the j’th column of D. 
We use the notation p p' to express that the marking p enables the firing 
sequence cr and p' is reached by firing a. 

A Petri net Af = {P,T, F,W) is ordinary if V/ G P : W{f) = 1. We 
will refer to slightly more general Petri nets in which only the arcs from places 
to transitions have weights equal to one. We are going to call such Petri nets 
PT-ordinary, because all arcs (p, t) from a place p to a transition t satisfy the 
requirement of an ordinary Petri net that W{p,t) = 1. 

Definition 1. Let Af = {P,T, F,W) be a Petri net. We eall Af PT-ordinary 
i/Vp G PVt G T, if (p,t) G P then W{p,t) = 1. 

An asymmetric choice Petri net is defined by the property that Vpi,p 2 G P 
if Pi • rip 2 * fy 0 then pi* C p 2 * or p 2 * C pi*. 

A siphon is a set of places S' C P, P fy 0, such that •S C S*. A siphon S is 
minimal if there is no siphon S' C S. A siphon is empty at a marking p if it 
contains no tokens. Given a Petri net (Af, po)> a controlled siphon is a siphon 
which is not empty at any reachable marking. A well known necessary condition 
for deadlock HH is that a deadlocked ordinary Petri net contains at least one 
empty siphon. It can easily be seen that the proof of this result also is valid for 
PT-ordinary Petri nets. 

Proposition 1. A deadlocked PT-ordinary Petri net contains at least one empty 
siphon. 

In general we may not want all transitions to be live. For instance some 
transitions of a Petri net may model faults and we want to ensure that some 
other transitions are live. This is the motivation of the next definition. 

Definition 2. Let {Af, po) be a Petri net and T a subset of the set of transitions. 
We say that the Petri net is T-live if all transitions t £ T are live. 

A live transition is not the opposite of a dead transition. That is, a transition 
may be neither live nor dead. Indeed, a transition is live if there is no reachable 
marking for which it is dead. Note also that T-liveness corresponds to liveness 
when the set T equals the set of all Petri net transitions. In what follows we 
define what we mean by a supervisor. 
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Definition 3. Let J\f = (P, T, P, W) be a Petri net, A4 the set of all markings 
of N , A4o Q M. ancfl U C A4 x T* sueh that V^o C -Mq: G A 

supervisor is a map S' : P — >■ 2^ such that V(/i, cr) G U \/t G if 

pL — ^ p! , then (p',at) G U. We say that Aio is the set of initial markings for 
which S is defined. We also say that S is a marking based supervisor if 
S{p,a) depends only on p and \/{p,a) G U: {p} x T* CU. 

A Petri net (Af,po) supervised by S operates as follows: at every marking 
p reached by firing some a from po {po — ^ only transitions in S{p,a) 

may fire. We denote by (TV, po, S) the supervised Petri net and by TZ{Af, po, S) 
its set of reachable markings. A marking based supervisor is memoryless, as it 
only depends on the marking. We say that Si is less restrictive (or more 
permissive) than S 2 w.r.t. (Af,po) if the set of firing sequences firable from pq 
in (Af, /io, S 2 ) is a proper subset of the set of firing sequences firable from po in 
(Af, /io, Si). We say that deadlock can be prevented in a Petri net Af if there 
is an initial marking po and a supervisor S such that (Af, po, S) is deadlock-free. 
We say that liveness (T-liveness) can be enforced in Af if there is an initial 
marking /ig and a supervisor S such that (Af, po, S) is live (T-live). It is known 
that if (Af,po) is live, then (Af,p) with p > po may not be live. The same is 
true for deadlock-freedom, as shown in Figure [D The next result shows that if 
liveness (T-livenss) is enforcible at marking p or if deadlock can be prevented at 
p, then the same is true for all markings p' > p. 

Proposition 2. If a supervisor S' : P — >■ 2^ which prevents deadlock ( enforces 
(T-)liveness) in (Af,po) exists, then for all p > po there is a supervisor which 
prevents deadlock (enforces (T-)liveness) in (Af,p). 

Proof. Let pi > po- A. supervisor for (Af,pi) is Si defined by 



^i(p + Pi - pQ,a) 



^ (p, a) for (p, a) GU 
0 otherwise 



□ 



As we prove in the next section, the Petri net structures in which liveness 
can be enforced (for some initial markings) are the repetitive Petri nets, and 
the Petri net structures in which deadlock can be prevented are the partially 
repetitive Petri nets. In what follows we formally define these two Petri net 
classes. 

Definition 4. nm A Petri net is said to be (partially) repetitive if there is 
a marking po and a firing sequence a from po such that every (some) transition 
occurs infinitely often in a. 

A test allowing to check whether a Petri net is (partially) repetitive uses the 
incidence matrix D and is next presented. Linear programming techniques can 
be used to implement the test. 

^ T* is the set of all firing sequences with transitions in T 
^ e G T* denotes the empty firing sequence 
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Fig. 1. A Petri net which is live for the initial marking fiQ shown in (a) and not even 
deadlock- free for the initial marking > no shown in (b). 



Theorem 1. pm A Petri net is (partially) repetitive iff a vector x of positive 
(nonnegative) integers exists, such that Dx > 0 and x ^ 0. 

3 Results 

3.1 Conditions for Deadlock Prevention and Liveness Enforcement 

In general it may not be possible to enforce liveness or to prevent deadlock 
in an arbitrary given Petri net. This may happen because the initial marking is 
inappropriate or because the structure of the Petri net is incompatible with such 
a supervision purpose. The next proposition characterizes the structure of Petri 
nets which allow supervision for deadlock prevention and liveness enforcement, 
respectively. It shows that Petri nets in which liveness is enforcible are repetitive, 
and Petri nets in which deadlock is avoidable are partially repetitive. Part (b) 
of the proposition also appears in PI- 

Proposition 3. Let AT = (P, T, F, W) be a Petri net. 

(a) Initial markings no exist such that deadlock can be prevented in (Af,no) iff 
Af is partially repetitive. 

(b) Initial markings no exist such that liveness can be enforced in (Af,no) iff Af 
is repetitive. 

(c) Initial markings no exist such that T -liveness can be enforced in (Af,no) iff 
there is an initial marking no enabling an infinite firing sequence in which 
all transitions of T appear infinitely often. 

Proof. 

(a) If deadlock can be avoided in {Af,no) then no enables some infinite firing 
sequence cr, and by definition Af is partially repetitive. If Af is partially 
repetitive, then let no and cr be as in Definition 21 we define Ei such that it 
only allows a to fire from no- Then E prevents deadlock. 

(b) and (c) The proof is similar to (a). □ 
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If M is partially repetitive, a constructive way to obtain an initial marking 
for which deadlock can be prevented or (T-)liveness can be enforced is implied 
by Theorem^ Let x be as in Theorem ^ and i . . .tx^k ^ firing sequence 

associated to a firing vector q = x. Let q\ denote the firing vector after the first 
transition of ax fired, <72 after the first two fired, and so on to qk = q- If the 
rows of the D are df , d|’, . . ., djp^, Sij = W{pi,txj) if txj G Pi* and 6ij = 0 
otherwise, then a marking which enables ax is 

Po(Pj) = max{0,(5i,i, max {S^j+i - df qj)} i=l...\P\ (1) 

At least one deadlock prevention strategy exists for /ip: to allow only the firing 
sequence ax,ax,ax,--- to fire. This infinite firing sequence is enabled by /io 
because po + Dx > po and po enables ax- 

Note that if a deadlock prevention supervisor S' exists for (Af, po), then a 
marking based deadlock prevention supervisor exists for (Af, po) such that S 
is at least as restrictive as The same is true for liveness and T-liveness enforc- 
ing supervisors. Indeed, let a^^^ = . . ., for j = 1,2, . . ., be the infinite 

firing sequences which can fire from po in (Af, /j,q, S); for alH, j = 1, 2 . . . let 

be the marking reached after firing ■■ - ti from po and af^ = f- 

We take Sm(p) = {t : 3i,j > 1 such that p = and t = tp'*}. Hence 

V/r G TZ{M , pq, Srn)'- j such that is Arable from p in {J\f, po, Sm)- 

From a marking based supervisory perspective, it is known that if a liveness 
enforcing supervisor exists, the least restrictive liveness enforcing supervisor also 
exists nni. The same is true for deadlock prevention and T-liveness enforcing 
supervisors. This is true also for the more general supervisors of Definition 0 
This follows easily from the fact that given Si and S' 2 , a supervisor at least as 
permissive as each of Si and S "2 is S' = S'! V S 2 which allows a transition to fire 
if either of Si or S 2 allows it. 

Next we introduce a technical result which is necessary in order to prove 
some of the main results of this paper. 

Lemma 1. Let J\f = {P,T, F,W) be a Petri net of incidence matrix D. Assume 
that there is an initial marking fij which enables an infinite firing sequence a. 
Let U ffT be the set of transitions which appear infinitely often in a. 

(a) There is a nonnegative integer vector x such that Dx > 0, VT G U : x(i) yf 0 
and Mti G T\U: x{i) = 0. 

(b) There is a firing sequence ax containing only the transitions with x{i) yf 0, 

such that 3p,\,p2 £ p/).' /rj, each transition ti appears x{i) 

times in ax, a can be written as a — aaaxajj, and /r*. 

Proof. Note that a can be written as aoa', where co is finite and a' contains 
only transitions in U. Let po be the marking such that po- We further 

decompose a' in cricr 2 ■ ■ • . . . such that each ak is finite and in each ak all 

transitions of U appear at least once. Let pi, p 2 , ■ ■ ■ Pk, ... be such that pk-i 
Pk for k = 1,2,.... By Dickson’s Lemma (see Lemma 17 in P|) 3j, fc, j < k, 
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such that < /ifc. Let Qj and qk be the firing count vectors: Hj = /io + Dqj 
and fJ,k = fJ-o + Dqu] let x = qk — qj- Then Hk — jJ-j > 0 Dx > 0, and by 
construction a; > 0, x{i) > 0 Wti G U and x{i) = 0 G T\U. Also we take 

(Ta — O'oCTi . . • O' jf Ox — Ojj-1 ■ - - Ok, Ok — Ok-\-lOk-\-2 •• - 7 Mx = /ij j and /i2 = j^k- ti 

In order to characterize the supervisors which prevent deadlock, or enforce 
liveness or T-liveness, we define the properties Pi, P 2 and P 3 below, in which 
J\f = {P,T, F,W) is a Petri net, Tx C T and o denotes a nonempty firing 
sequence. 

(Pi) (3 ct 3^'i,^i e TZ{Af,fj,): jii fj,[ and > ni) 

(P 2 ) ( 3(7 3fi[,fii G TZ{J\f,jj.): Hi Hi 7 Mi ^ Mi all transitions of T appear 

in o) 

(P 3 ) (3ct 3/i'i,/ii G TZ{M,h)'- Ml Ml) Ml ^ Mi ^md all transitions of Tx 
appear in o) 

The following theorem characterizes the relations existing between supervi- 
sors preventing deadlock and supervisors enforcing (T-)liveness. In general we 
may expect deadlock prevention supervisors to be at least as permissive as su- 
pervisors enforcing a stronger requirement, such as liveness or T-liveness. Such 
deadlock prevention supervisors are considered in the parts (d) and (e) of the 
following theorem. 

Theorem 2. Let M = (P, T, F, W) be a Petri net and Tx C T. 

(a) Deadloek ean be prevented in (Af, p.) iff (Pi) is true. 

(b) Liveness ean be enforeed in (Af, /i) iff (P 2 ) is true. 

(c) Tx-liveness ean be enforeed in iff (P 3 ) is true. 

(d) Let Ho ^6 o,n arbitrary marking for which liveness can be enforced, the 

least restrictive liveness enforcing supervisor of (J\f,Ho), o-'nd S the set of 
all deadlock prevention supervisors of (Af,Ho) o.t least as permissive as 
Then all F G S enforce liveness in (Af, /io) iff'^H ^ TZ{M,ho)- (-Pi) (P 2 ). 

(e) Let Ho an arbitrary marking for which Tx-liveness can be enforced, El 
the least restrictive Tx-liveness enforcing supervisor of (A/”, /to), and S the 
set of all deadlock prevention supervisors of (Af,Ho) o-t least as permissive 
as El. Then all E G S enforce Tx-liveness in (Af,Ho) *ifV/t G TZ{M,ho)- 
{Pi) ^ (^ 3 ). 

Proof. 

(a) If (Pi) is true, then a deadlock prevention strategy is to first allow only a 
firing sequence that leads from /t to /ti, and then only the infinite firing 
sequence a,a,a, . . .. Furthermore, if deadlock can be prevented, there is an 
infinite firing sequence enabled by the initial marking. Then, by Lemma Q 
it follows that (Pi) is true. 

(b) This is a particular case of (c) for T = Tx. 

(c) The first part of the proof is similar to (a). If T 2 ,-liveness can be enforced, 
there is an infinite firing sequence a enabled by the initial marking, and the 
transitions in Tx appear infinitely often in a. Then, by Lemma ^ h follows 
that (P 3 ) is true. 



Generalized Conditions for Liveness Enforcement and Deadlock Prevention 



191 



This is a particular case of (e) for T = T^. 

(=>) Assume the contrary: 3/x G TZ{J\f,iJ.o) such that (Pi) is true and (P 3 ) is 
not. Note that the least restrictive deadlock prevention supervisor of (Af, /tq), 
Sz), is in S. By part (a), deadlock can be prevented at the marking /i, so 
€ TZ{Af, ^ 0 , So). However, by part (c), (Af, cannot be made Ta;-live, so 
Sz) does not enforce T^^-liveness, which is a contradiction. 

(<i=) Since r^^-liveness can be enforced at /to, deadlock can be prevented at /to, 
so S is nonempty. Let S £ S. The proof checks that for all /t G P(A/', /to, S') 
there is a firing sequence enabled by /t, accepted by S, and which includes 
all transitions in T^. Let /t G P(A/', /to, S). Since deadlock is prevented, (P 3 ) 
is true as (Pi) is true. Let be the supervisor that enforces T 3 ;-liveness 
in (Af, /to) by firing aia 2 craa . . ., where /to /ti, and a, /i and fii 

are the variables from (P 3 ). Since S is at least as permissive as S is at 
least as permissive as Sx- Thus S' allows a 2 <J to fire from /i. Therefore all 
transitions of Tx appear in some firing sequence enabled by /t and allowed 
by S. □ 

In practice it may be difficult to check (Pi) => (P 2 ) or (Pi) => (P 3 ) in order 
to see whether a deadlock prevention supervisor will also enforce liveness or T- 
liveness. In contrast, the conditions of the next theorem can be easily verified 
using linear programming. 

Theorem 3. Let Af = (P, T, F, W) be a Petri net, D its incidence matrix, Tx C 
T, n = |T| the number of transitions, M = {x £ : a: yf 0, Dx > 0}, 

N = {x £ M : \H = I . . .n : x{i) yf 0} and P = {x £ M : \/ti £ Tx : x{i) yf 0}. 

(a) The following statements are equivalent: 

(i) M yf 0 and M = N 

(a) supervisors which prevent deadlock exist for some initial marking, and 
for all such initial markings /to all supervisors preventing deadlock in 
(Af,pio) also enforce liveness in (A/”, /to) 

(b) The following statements are equivalent: 

(i) M y^ 0 and M = P 

(a) supervisors which prevent deadlock exist for some initial marking, and 
for all such initial markings /to all supervisors preventing deadlock in 
{J\f,pLo) also enforce Tx-liveness in (A/”, /to) 

(c) The following statements are equivalent: 

(i) andN = P 

(ii) supervisors which enforce Tx-liveness exist for some initial marking, and 
for all such initial markings /to all supervisors enforcing Tx-liveness in 
(Af, /to) also enforce liveness in {J\f,po) 



(d) 

(e) 



Proof. 

(a) This is a particular case of (b) for T = Tx- 

(b) (=>) Since M yf 0, a marking /tg for which a deadlock prevention supervisor 
exists can be found as in equation (P). Let /to be an initial marking for 
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Fig. 2. Examples for Theorems El and El 



which deadlock prevention supervisors exist and S a deadlock prevention 
supervisor of {Af, fio). We show that there is no reachable marking such that 
a transition in is dead. Let G /io, S'). Since S prevents deadlock, 
there is an infinite firing sequence a enabled by ^ and allowed by S. Using 
Lemma nfor /i/ = /i, we see that while firing a a marking is reached such 
that jjL\ enables ax corresponding to a:: G M . But M = P, so all transitions 
in Tx appear in ax- Therefore no transition in Tx is dead at /i, so S also 
enforces Tj-liveness. 

(<t=) Assume the contrary. Then there is a nonnegative integer vector x, 
a: 0, such that Dx > 0 and x{i) = 0 for some U G Tx- Let S be a deadlock 

prevention supervisor for (Af, / tq), where /io is such that it enables a firing 
sequence ax defined as follows: ti appears in ax iff x{i) 0, in which case 
it appears x{i) times. If S is defined to only allow firing axaxax ■ ■ •, then 
deadlock is prevented but Tj;-liveness is not enforced, as ax does not include 
all transitions of Tx- Contradiction. 

(c) The proof is identical to (b) if we substitute in (b) Tx with T, and deadlock 
prevention with Ta,-liveness enforcement. □ 



Figure ED a) shows an example for Theorem 0(a): all nonnegative vectors x 
such that Dx > 0 are a linear combination with nonnegative coefficients of 
[1,2,1,!]'^ and [2,3, 3, 3]^. Figure 0b) shows an example for Theorem 0d). 
Indeed, all markings ^ that enable any of ti, t 2 or ^4 satisfy (^2)- Also, a marking 
that enables only either leads to deadlock or enables the sequence 
and hence satisfies (^2)- For instance, the deadlock prevention supervisor that 
repeatedly fires t\ does not enforce liveness because it does not satisfy the 
requirement of Theorem 0d) to be at least as permissive as any liveness enforcing 
supervisor. 

With regard to Theorem 0d-e), note that designing deadlock prevention 
supervisors less restrictive than liveness enforcing supervisors has been demon- 
strated for instance in mm. 
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Theorem 4. Consider a Petri net Af = (P, T, F, W) which is not repetitive. At 
least one transition exists such that for any initial marking it cannot fire infinitely 
often. Let Tjy be the set of all such transitions. There are initial markings p,Q 
and a supervisor S such that Wp, G Ti-iAf, Po, S') no transition in T\ To is dead. 

Proof. Let ||a;|| be the support of the vector x, that is ||a::|| = {i : x{i) 0}. 
There is an integer vector a; > 0 with maximum support such that Dx > 0, that 
is, for all integer vectors w >0 such that Dw > 0: ||w|| C ||a;|| . Indeed iiy,z > 0, 
are integer vectors and Dy > 0 and Dz > 0, then D{z + y) > 0, y + z > 0, and 
yui^iiciit/+zii. 

If tj G T can be made live, there is a marking that enables an infinite firing 
sequence a such that tj appears infinitely often in a. Therefore by Lemma [0 
3y > 0 such that Dy > 0 and y{j) > 0. Since x has maximum support, |1?/|| C ||a;|| 
and so tj G ||a;||. This proves that all transitions that can be made live are in 
||x||. Moreover, only the transitions that can be made live are in ||x||. Indeed, 
let be a firing sequence such that ti appears in iff x(i) yf 0, in which case 
it appears x(i) times. Then there is a marking po given by equation Q that 
enables the infinite firing sequence ai = o'xO'xO'x ■ ■ ■■ We may choose S' to only 
allow (T; to fire from po, and we note that all transitions in ||a::|| are live. However 
T llxll, or else <Ji contains all transitions of T and so Af is repetitive. Therefore 
T\ ||a;|| 0. Since ||x|| contains the transitions that can be made live, T\ ||x|| yf 0 

contains the transitions that cannot be made live under any circumstances. So 
we have Td = T \ ||x|| and To y^ 0. □ 

A special case in Theorem El is T \ Td = 0, when the Petri net is not even 
partially repetitive, and so deadlock cannot be avoided for any marking. It was 
already shown that only repetitive Petri nets can be made live (Proposition OJ. 
Theorem El shows that the set of transitions of a partially repetitive Petri net 
can be uniquely divided in transitions that can be made live and transitions 
that cannot be made live. So the liveness property of partially repetitive Petri 
nets is that all transitions that can be made live are live (T \ To-liveness). For 
an example, consider the Petri nets of Figure EJa) and (b). For the first one 
Td = {^4,^5}, and for the second one Td = {ti,t 2 ,H}- 

3.2 Deadlock and (T-)Liveness Characterization Based on Active 
Subnets 

We denote by the active subnet a part of a Petri net which can be made live 
for appropriate markings by supervision. In the following definition we use the 
notations from Theorem 0 

Definition 5. Let Af = (P, T, F, W) be a Petri net, D the incidence matrix and 
Td Q T be the set of all transitions that cannot be made live for any initial 
marking. Af^ = {P^,T^,F^,W^) is an active subnet of Af if P^ = T^», 
F^ = F n {{T^ X P"^) U X T^)}, is the restriction of W to F^ and 
T^ is the set of transitions with nonzero entry in some nonnegative vector x y^ 0 
satisfying Dx > 0. J\f^ is the maximal active subnet of J\f if T^ = T \ Td 



194 



M.V. lordache and P.J. Antsaklis 



and T\Td is a minimal active subnet if there is no other aetive 

subnet Ml = {P^ ,T\ ^Wi) such that C T^. 



Definition 6. Given an active subnet M^ of a Petri net M, a siphon of M is 
said to be an active siphon (with respect to M^) if it is or includes a siphon of 
M^. An active siphon is minimal if it does not include another active siphon 
(with respect to the same active subnet.) 

In Figure 0a) and (c) two Petri nets are given. Figure 0b) shows the minimal 
active subnets of the Petri net in Figure 0a). The union of the two subnets is 
the maximal active subnet. Figure0d) shows the only active subnet of the Petri 
net of Figure ETc). The minimal active siphons of the Petri net in Figure 0a) 
with respect to the active subnet having = {t 6 ,t 7 ,tg} are {pi,P 5 ,P 6 jP 7 } 
and {pe,P 7 ,Ps}- The minimal active siphons of the Petri net of Figure 0c) are 
{pi,P4,Pt}, {P2,P5,P7}, {P3,P5,P7} and {pe,P7}. 




Fig. 3. Two Petri nets: (a) and (c), and their active subnets: (b) and (d), respectively. 



Proposition 4. A siphon which contains places from an active subnet is an 
active siphon with respect to that subnet. 

Proof. We use the notations from Definition 0 Let be a firing sequence such 
that a transition ti appears in iff x{i) yf 0 , in which case it appears x{i) times. 
Let S' be a siphon such that S fl P^ 0. We are to prove that there is a siphon 
s of M^ such that s C S. *S C S* implies that *S fl Q S • C\T^. Using 
the construction of equation © there is a marking enabling Ox<Jxrrx ■ ■ ■■ Since 
= ||a;||, this implies 'it G T^\ •t C P^. Hence S • flT^ C (S fl P^)» and so 
S^nT'^ = (SnP"^)*nT"'^. Note also that •(SnP"^)nT^ C •SflT"'^. Therefore 
•S n S • nT^ implies *(S fl P^) fl C (S fl P^) • which proves 

that s = S n P^ is a siphon of M^ . □ 
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The significance of the active subnets for deadlock prevention can be seen in 
the following propositions. First we prove a technical result. 

Lemma 2. Let = {P^ ,T^ , ,W^) be an active subnet of N . Given a 

marking /i of Af and its restriction to Af^ , if t € is enabled in Af^, then 
t is enabled in Af. 

Proof. By definition, there is an nonnegative integer vector x > 0 such that 
Px > 0 (P is the incidence matrix) and x(i) > 0 for ti G and x(i) = 0 for 
ti G T \ T^. This implies that there are markings such that the transitions of 

can fire infinitely often, without firing other transitions (see equation (|T)).) 
If t is not enabled in Af, there is p G »t such that p ^ P^ since t is enabled 
in Af^. (The preset/postset operators • are taken with respect to Af, not Af^.) 
Note that p ^ P^ implies »p fl = 0. If = 0, f cannot fire infinitely often, 
which contradicts the definition of (Definition 0, since t G T^. If t^. G »p, 
the transitions of cannot fire infinitely often without firing t^, which again 
contradicts the definition of T^. Therefore t is also enabled in Af. □ 

Note that in a repetitive Petri net all siphons are active with respect to the 
maximal active subnet. The next result is a generalization of the well known 
Proposition Q1 It is a more powerful result since it not only states that deadlock 
implies an empty siphon, but also that for any active subnet Af^ there is an 
empty active siphon with respect to Af^. 

Proposition 5. Let Af^ be an arbitrary active subnet of a PT-ordinary Petri 
net Af . If p, is a deadlock marking of Af , then there is at least one empty minimal 
active siphon with respect to Af^ . 

Proof. Since ^ is a deadlock marking and Af = {P, T, F, W) is PT-ordinary, 
yt G T 3p G •t: p(p) = 0. The active subnet is built in such a way that if 
the marking p restricted to the active subnet enables a transition t, then p 
enables t in the total net (Lemma 0) Therefore, because the total net (Af,p) 
is in deadlock, the active subnet is too. In view of Proposition 0 let s be an 
empty minimal siphon of the active subnet. Consider s in the total net. If s is 
a siphon of the total net, then s is also a minimal active siphon; therefore the 
net has a minimal active siphon which is empty. If s is not a siphon of the total 
net: •s \ ^ 0. Let S be the set inductively constructed as follows: S'o = s. 

Si = S'i_iU{p G •(•5'i_i : p{p) = 0}, where p is the (deadlock) marking 

of the net. In other words S' is a completion of s with places with null marking 
such that S is a siphon. By construction S is an active siphon and is empty for 
the marking p. Hence an empty minimal active siphon exists. □ 

The practical significance of Proposition 0 is that it can be used for deadlock 
prevention, since deadlock is not possible when all active siphons with respect 
to an active subnet cannot become empty. 

Proposition 6. Peadlock is unavoidable for the marking p if for all minimal 
active subnets Af^ there is an empty active siphon with respect to Af^. 
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Proof. All transitions in the postset of an empty siphon are dead. Therefore 
every minimal active subnet has some dead transitions. Assume that deadlock 
is avoidable. Then, in view of Lemma ^ after some transitions firings a marking 
can be reached which enables aaa . . .a . . where tr is a finite firing sequence. 
Let q be the firing count vector for a. Then Dq > 0. If the active subnet for q 
is minimal, we let x = q, but if it is not, there is x such that HxH C ||( 7 ||, x ^ Q, 
X > 0, Dx > 0 and the active subnet associated to x is minimal. But there must 
be an empty active siphon with regard to that active subnet, therefore not all 
of the transitions of ||x|| can fire, which implies that not all of the transitions of 
cr can fire, which is a contradiction. □ 

Propositions 0 and ^generalize Proposition Q Thus a Petri net will certainly 
enter deadlock if for all minimal active subnets there is an empty active 
siphon with respect to Conversely a deadlock state implies that for each 
active subnet there is an empty active siphon with regard to that subnet . Propo- 
sitions 0 and ^suggest an approach for least restrictive deadlock prevention, and 
we consider it in section lOl 

While Commoner’s Theorem is a necessary and sufficient condition, its ex- 
tension to asymmetric choice Petri nets is usually presented as a sufficient con- 
dition (e.g. Theorem 10.4 in |2]). The reason for this is that the attention has 
been restricted to a particular class of controlled siphons, namely trap controlled 
siphons. In terms of the general notion of controlled siphons, the extension of 
Commoner’s Theorem is a necessary and sufficient condition (see Corollary 27 
in P). We go one step further: the next result not only states that a dead tran- 
sition t implies an empty siphon for some reachable marking, but also that there 
is such an empty siphon S such that t G S». This fact is important when we try 
to verify or ensure that t is live, since we only have to look at the siphons S such 
that t G S». 

Theorem 5. Consider a PT-ordinary asymmetric choice Petri net Af and a 
marking yi such that a transition t is dead. Then there is qi' G 'R-(Af, fj.) such that 
S is an empty siphon for the marking p! and t G S». 

Proof. It is known that if a transition t of an ordinary Petri net with asymmetric 
choice is dead at a marking pL, then 3^i G TZ{Af,p.) 3pi G »t V/ia, G TZ{Af,p,i): 
h-xivi) — 0- This is proved for instance in Lemma 10.2 of [2|, and the proof applies 
without change to PT-ordinary asymmetric choice Petri nets. We inductively use 
this property to construct S. Note that all transitions in are dead at pii. Let 
Sq — % and S\ = {pi}. We inductively construct S by generating S 2 , ■ . ■ Sn+i 
and the markings fi 2 , . . . pin+i- Si for * > 1 is such that all transitions in •S'i are 
dead for some marking fj,i. The construction in a iteration is as follows. Let Ti = 
• {Si \ Si-i) and /r^+i G TZ{Af,p,i) such that Via, G Ti V/Xj, G TZ{Af,p,i+i) 3p G •t: 
Tx{p) = 0. Then we let Gi= [j {p G •G : V/x^ G Tl{Af, pi+i) : Px{p) = 0} and 

5'i+i = SiU Gi. There is n such that = S'„, for the Petri net has a finite 
number of places. We let S = Sn and /x' = /x„. By construction S' is a siphon 
(note that *Si C S^+i* for x = 0 . . . n), S is empty at /x', pi' G TZ{Af,pi), and 
t G S» (since pi G S). □ 
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Definition 7. Let M he a Petri net, T a nonempty subset of the set of tran- 
sitions and = {P^ ,T^ ,W^) an aetive subnet. We say that is 
T-minimal if T C and for any other active subnet = 

{P^, T^, F^, such that TCT^. 

In general a T-minimal active subnet may not be unique. However, as shown 
in the next theorem, any T-minimal active subnet can be used to characterize T- 
liveness. We also note that computing a T-minimal active subnet has polynomial 
complexity (it involves solving linear programs). The following new result may 
be seen as a correspondent for T-liveness of the Commoner’s Theorem. 

Theorem 6. Given a PT-ordinary asymmetric choice Petri netAf, let T be a set 
of transitions and a T-minimal active subnet which contains the transitions 
in T. If all the minimal siphons with respect to are controlled, the Petri net 
is T -live (and T^-live). If the Petri net is T-live, there is no reachable marking 
such that for each T-minimal active subnet there is an empty minimal active 
siphon with respect to Af ^ . 

Proof. For the first part, assume that there is a reachable marking such that a 
transition t € T^ is dead. Since T C T^, by Theorem 0 there is a reachable 
marking such that a siphon S is empty and t G S». However t G S» implies 
S n P^ yf 0, and by Proposition 0 S' is an active siphon. However S empty 
contradicts the fact that all active siphons are controlled. 

For the second part, let denote a T-minimal active subnet, i = 1 . . . k, 
where k is the number of T-minimal active subnets. Let fj. he a, marking such 
that an active siphon Si is empty. Let Ti = Si • HT/^, where T/^ is the set of 
transitions of Aff^. Since Si is active, Ti is nonempty; because Si is empty, the 
transitions of Ti are dead. Assume that there is an infinite firing sequence ax 
such that all transitions of T appear infinitely often in ax and after a part of 
ax is fired, (let p,x be the marking reached) all T-minimal active subnets 
have an empty active siphon Si. Let a be the remaining part of ax which is 
enabled by /i. All transitions of T appear infinitely often in a. Therefore, by 
Lemma d there is a; > 0 such that Dx > 0 {D is the incidence matrix) and 
T C ||x||. However, ||x|| does not contain all transitions of any of the T-minimal 
subnets Af(^: Ti C T/' \ || x||, for i = 1 ... k. This implies that ||x|| defines another 
T-minimal active subnet, which contradicts the fact that Af/^ i = 1 .. .k are all 
T-minimal active subnets. □ 

In the particular case in which there is a single T-minimal active subnet. 
Theorem 0 shows that the net is T-live iff all siphons are controlled. When T 
equals the total set of transitions of the net and the Petri net is repetitive, the 
T-minimal active subnet exists, is unique, and equals the total net; in this case 
we obtain the extension of the Commoner’s Theorem to asymmetric choice nets. 

4 Implications and Discussion 

In this section we discuss our results and show how they relate to the supervi- 
sory problems of deadlock prevention, liveness enforcement and T-liveness en- 
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forcement. Some of the theoretical results only consider particular classes of 
Petri nets, specifically PT-ordinary and asymmetric choice nets. However, for 
our supervisory problems this is a surmountable difficulty, since it is possible to 
transform a Petri net to a PT-ordinary or PT-ordinary asymmetric choice Petri 
net; then, it is possible to derive a deadlock prevention (or a (T-)liveness en- 
forcement) supervisor from a supervisor for deadlock prevention (or (T-)liveness 
enforcement) of the transformed net [bl7ll2| . Briefly, a possible solution for our 
supervisory problems is as follows: given a target net A/q, generate a sequence 
of increasingly enhanced nets A/i, A/2 • ■ ■ until we reach a net A/fc, such that we 
can use Proposition O or Theorem El on A/fc to guarantee deadlock-freedom or 
(T'-)liveness; then a supervisor for Afo is derived based on the construction of 
Afe. For more details the reader is referred to ftilZIdj . 



4.1 Deadlock Prevention 

Proposition Q implies that if the marking of any of the minimal siphons of a 
Petri net can never become zero, the Petri net is deadlock- free. This is an useful 
property for repetitive Petri nets, but not always for nonrepetitive Petri nets. For 
partially repetitive Petri nets Proposition El is much more useful. For instance 
consider the Petri net of Figure 0 ) a). The only active subnet has = {ti, ^2; ^3}- 

After firing ti, {pa} is an empty siphon. However, there is no empty active siphon 
(the minimal active siphons are {pi,P3,P4}, {p2,Ps,P5} and {p2,P3,Pe}), and 
thus we can see from Proposition El that the Petri net is not in deadlock, while 
this cannot be ascertained from PropositionQl The same is true for the Petri net 
in Figure 0 b): {^1,^3} is an empty siphon, but the only minimal active siphon, 
{P4,P5,P6)P7}) is not empty, and therefore the Petri net is not in deadlock by 
Proposition El 




Fig. 4. 



Proposition 0 is more useful than Proposition ^even for repetitive Petri nets, 
as seen in Figure 0 c). The Petri net of Figure 0 c) has several active subnets. 
While with respect to some of them there are empty active siphons, if we take 
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the active subnet defined by = {ti,t2}, the only minimal active siphon 
with respect toN^ is {pi,P2,P5}, which is not empty. Thus we are able to detect 
based on Proposition 0 that the Petri net is not in deadlock. 

In the applications in which deadlock prevention is desired to approximate 
liveness enforcement, Proposition 0 can be used for the maximal active subnet. 
Thus it would be desirable that no active siphon with respect to the maximal 
active subnet ever becomes empty. Indeed, if an active siphon S with respect to 
the maximal active subnet is empty, all transitions in S» are dead, and some of 
them are in the set oiT\To of Theorem 0 

For the applications in which least restrictive deadlock prevention is desired 
rather than a liveness approximation, see the next section. 

Proposition El can be used for deadlock prevention by extending the target 
Petri net to a net in which all siphons are controlled. The usual technique for 
siphon control involves adding a new place to each siphon to be controlled, 
such that place invariants are created. Such additional places can be seen as 
implementing a (marking based) supervisor for deadlock prevention. We have 
designed a deadlock prevention methodology based on Proposition 0 in jOj. The 
methodology of p] produces two sets of constraints: L/r > b and LqM > ^o- 
Thus > b defines the supervisor (the set of additional places ensuring that 
all active siphons are invariant controlled), defined for all initial markings /io 
satisfying both L/io > b and TqMo > ^o- For an example, consider the Petri nets 
in Figure ETa) and (b). They are supervised for deadlock prevention using the 
methodology of 0. The additional places defining the supervisor are, in both 
cases, the places Ci, C2 and C3. It can be easily checked that all minimal active 
siphons are invariant controlled in both cases. In the case (a) the inequalities 
L^>b are /r(pi) + /^(pa) + p(p4) > 1 (so p(C'i) = p(pi) + ^(pa) + p(p4) - 1), 
^J■{P2)+^J.{P3) + KP5) > 1 {p{C2) = p{P2) + Kp3) + Kp5)-^) and p(p2) + p(pa) + 
pipe) > 1 (^(C'a) = piP2)+piP3)+piPe) — ^)', Fopo > bo contains the inequalities 
Po(pi) + Po{P2) + Po{P3) + Po{P4) + PoiPb) > 2 and po(pi) + Po{P2) + Po{P3) + 
Po(P4) + Po(Pe) ^ 2. In the case (b), the inequalities Lp > b are p(pi) + p(p2) > 1 
(p(Ci) = p(pi) + p(p2) - 1), p(pa) + p(p4) > 1 (p(C2) = p(pa) + p(P4) - 1) 
and p(pi) + p(p2) + p(pa) + p(p4) > 3 (p(Ca) = p(C'i) + p(C2) - 1); there are 
no constraints LqPo > bo. Moreover, by Theorem 0 the supervisors also enforce 
{ti, ^2, tsj-liveness in case (a), and liveness in case (b). 



4.2 Least Restrictive Deadlock Prevention 

Assume that we have u supervisors for deadlock prevention in Afo'- ^2, ■ ■ ■ 
Su- Each supervisor can prevent deadlock if the initial marking is in the sets AAi, 
M2, ■ ■ ■ Mu, respectively. Let S be the supervisor defined on = IJ Mi, 

2=1. ..n 

which allows a transition to fire only if at least one of the supervisors Si , defined 
for the current marking, allows that transition to fire. We denote the supervisor 

U 

by S' = V “i- Obviously, S is a deadlock prevention supervisor, and S is at 
least as permissive as any of 
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(c) 



Theorem 7. Let A/q be a Petri net and , for i = 1 . . .u, the minimal active 
subnets of Afo- Let Ti denote the set of transitions of and let Si, for i = 
1 . . .u, be deadlock prevention supervisors. Assume that each Si is defined for 
all initial markings for which Ti-liveness can be enforced and that each Si is at 

U 

least as permissive as any Ti-liveness enforcing supervisor. Then S = \J Si is 



the least restrictive deadlock prevention supervisor ofAfo. 



i=l 



Proof. The only thing which is to be proved is that a marking unacceptable 
to S leads to deadlock. Consider such a marking p.. Let x\, X 2 , ■ • ■ be the 
nonnegative integer vectors defining Aff^, A/”^, . . . A^f in Definition E Thus 
Ti = llxill for i = 1 . . .u. Since p is unacceptable to all of Si and each Si is at 
least as permissive as any T^-liveness enforcing supervisors, for alH = 1 . . . it not 
all transitions of Ti can be made live given the marking p. Assume that deadlock 
can be prevented at p. Then there is an infinite firing sequence a enabled by p. 
Let Tx be the set of transitions which appear infinitely often in a. By Lemma 0 
there is a nonnegative integer vector x such that T^ = ||x|| and Dx > 0, where D 
is the incidence matrix. Since Af^, Af-f, . . . A/"^ are all the minimal active subnets 
of A/"o, there is j £ {1,2,... it} such that ||a;j|| C ||a;||. But this contradicts the 
fact that not all transitions of ||a:j|| can be made live at p. □ 

Each of the supervisors Si satisfying the requirements of the theorem above 
can be found with the procedure for deadlock prevention that we present in jBI, 
by starting it with an initial active subnet Aff^. As an example, consider the 
Petri net of Figure 0^c). There are three minimal active subnets Af-^, Af^ and 
Aff^, defined by Tf^ = {ti,t 2 }, T.^ = {h,tA} and T^ = |t 2 , ^ 4 , ^ 5 , ^ 6 , ^ 7 , ^s, igj, 
respectively. Three deadlock prevention supervisors corresponding to Afi, Af^ 
and Afj^ are Si, S 2 and S' 3 , defined as follows. For simplicity of notation, we let 
h-i = h-iPi)- “1 requires /ii + /I 2 + Ms + Me ^ 1 A Mi + M 2 + Ms + M 4 + Ms + M 7 ^ 1 
(the inequalities correspond to the two minimal active siphons with respect to 
Aff^); S 2 requires Ms + M 4 + Ms + M 7 > 1 A Mi + M 2 + Ms + M 4 + Ms + Me > 1; -s 
requires Mi + M 2 + Ms + Me > 1 A Ms + M 4 + Ms + M 7 ^ 1j 3 ,nd the initial marking mo 



Generalized Conditions for Liveness Enforcement and Deadlock Prevention 



201 



to satisfy in addition ^ > 2. It can be easily seen that ^ V V 

i=1...7 

is the least restrictive deadlock prevention supervisor. In this particular case 
S’! V .^2 V ^3 = S’! V S2- 

4.3 T-Liveness Enforcement 

We demonstrate a procedure for least restrictive T-liveness enforcement in [Z|. 
The procedure is based on Theorem El 




Consider the Petri net of Figure EJa), in which it is desired to ensure T- 
liveness for T = {ti,t 2 )t 3 }- For the displayed marking all of t 2 and 
are dead. However we cannot use Theorem El as the Petri net is not with 
asymmetric choice. Figure 0b) shows the same Petri net transformed to be 
with asymmetric choice. Theorem 0 is verified, as the minimal active siphon 
S = {pi,P 2 ,P 3 ,P 4 ,P 5 ,P 6 tP 7 } (with respect to the active subnet with set of tran- 
sitions T) is uncontrolled. Indeed, by firing ti, and ti 3 , S becomes empty. The 
Petri net of Figure0a) is not T-live for most initial markings. By applying our T- 
liveness enforcement approach from [Z], the least restrictive T-liveness supervisor 
of the Petri net of Figure0a) enforces 2pi + 2p2 + 2/^3 + p 4 + p ,5 + pe + 2p^ > 2. 

5 Conclusion 

We have introduced new theoretical results which are practical for deadlock pre- 
vention and (T-)liveness enforcement. The first part of the paper characterizes 
the relation between deadlock prevention and (T-)liveness enforcement. The sec- 
ond part extends literature results on deadlock and liveness. The extensions are 
based on the concept of active subnets and siphons. The usage of active sub- 
nets has allowed us to extend the well known sufficient condition for deadlock 
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to necessary and sufficient conditions, and to derive T-liveness results general- 
izing Commoner’s Theorem. We note that our results are effective not only on 
repetitive Petri nets but also on partially repetitive Petri nets. 
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Appendix: The Computation of the Active Subnets 

The active subnets of special significance are the minimal, T-minimal and max- 
imal active subnets. Note that the minimal subnets of a Petri net are the t- 
minimal subnets, for each transition t of the Petri net. The following algorithm 
computes a T-minimal subnet or, if none exists, a Ta,-minimal subnet such that 
Tx <Z T and there is no Ty G T, Tx G Ty such that a Ty-minimal subnet exists. 
A T-minimal subnet does not exist iff some of the transitions of T cannot be 
made live under any circumstances. 

Input: The Petri net A/q = (To, ^o, Tq, Wq) and its incidence matrix D; a 
nonempty set of transitions T C Tq; an optional set Z of transitions which 
are not desired to be made live; by default Z = 0. 

Output: The active subnet = {P^, T^, F^, W^). 

1. Check the feasibility of Dx > 0 s.t. x > 0, x{i) > 1 VA G T and x{i) = 0 

yti G z. 

If feasible then let xq be a solution; = minactn(To, xq, D, T) 
else = maxactn(To, D, T, Z) (no T-minimal active subnet exists, 
and so an approximation is constructed) 

2. The active subnet is P^ = T^*, = Tq n 

|(T"^ X P^) U {P^ X T^)} and is the restriction of Wq to F^. 

minactn(To, xo, T, T) 

Let M = ||xo|| and x« = xq. 

For ti G M \ T do 

Check feasibility of Dx > 0 subject to x > 0, x{i) = 0, x(j) = 0 
ytj G To \ M and x(j) > 1 Vtj G T. 

If feasible then let x* be a solution; M = ||x*|| and Xg = x* . 

Return ||xs|| 

maxactn(To, D, T, Z) 

Let M = T and Xg = 0|Tg|xi 

While M 0 do 

Check feasibility of Dx > 0 subject to x > 0, ^ x{i) > 1 and x{i) = 0 

ti&M 

yti G z. 

If feasible then let x* be a solution; M = M \ ||x*|| and Xg = x* -I- Xg. 
Else M = 0. 

N = minactn(To, Xg, D, T C\ ||xg||^ 

Return N 
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Abstract. This paper aims at introducing a mechanism of exceptions 
in a parallel programming language, giving them a formal concurrent 
semantics in terms of preemptible and composable high-level Petri nets. 
We show that, combined with concurrency, exceptions can be used as 
a basis for other preemption related constructs. We illustrate this idea 
by presenting a generalized timeout and a simple UNIX-like system of 
concurrent preemptible threads. 
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1 Introduction 

The starting point of our approach is B(PNj^ jSIhj [Basic Petri Net Program- 
ming Notation) which is a high-level programming language comprising in a 
simple syntax most traditional concepts of parallel programming. It includes 
nested parallel composition, iteration, guarded commands, procedures and com- 
munications via both handshake and buffered communication channels, as well 
as shared variables. One of the most interesting aspects of B(PN)^ is its simplic- 
ity: it features most classical concepts in a simple syntax. So, it becomes possible 
to use it as a test language and then to extend or apply the results found for 
B(PN)^ to “real-life” languages. 

B(PN)^ has an original formal semantics in terms of boxes P, a class of 
labelled Petri nets provided with a set of composition operations, and M-nets 
0, a high-level version of boxes. M-nets are strongly related to boxes by an 
unfolding of M-nets into boxes and allow to represent in a clear and compact 
way large (possibly infinite) systems. B(PN)^, boxes and M-nets are implemented 
in PEP toolkit [Zj, allowing to simulate a modeled system and also to verify its 
properties via model checking. 

Recent works HH led to the definition of the model of P/M-nets which ex- 
tends M-nets with preemption, introducing for this purpose a new operator, tt. 
Given a net N, tt{N) is a net which can be aborted, i.e., it’s termination can be 
forced immediately. Despite this augmented capability, it is proved in m that 
P/M-nets stay strictly equivalent to M-nets in terms of computational power 
(both may be transformed into 1-safe Petri nets, but P/M-nets lead to much 
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bigger nets) and have also a concurrent semantics. Having preemption naturally 
leads to consider enhancing B(PN)^ with related constructs. This paper pro- 
poses a modeling of static exceptions in B(PN)^, giving their semantics with 
P/M-nets. 

The presented approach allows to propagate exceptions through a nested 
block structure. However, the resolution procedure proposed here is one of the 
simplest possible : the actually handled exception is choosen arbitrarily between 
exceptions occurring concurrently. On the top of this system, a more sophisti- 
cated resolution system could be introduced, as proposed for instance in imB 

eg. 

We also show that combining exceptions with parallelism allows to express 
other constructs like a generalized timeout and a simple multi-threaded system. 

2 M-Nets, P/M-Nets, and Their Algebras 

This section is devoted to introduce P/M-nets, high-level composable and pre- 
emptible Petri nets El , which are used as semantic model for exceptions. P/M- 
nets are an extension of a high-level net model, called M-nets, which are in- 
troduced first. P/M-nets (as well as M-nets) may be considered as an efficient 
abreviation for safe place/transition Petri nets, into which they may be unfolded 

Eim . 

2.1 Basic Definitions 

Let if be a set. A multi-set over E is a function /r : if — >■ N, generally denoted 
with an extended set notation, e.g., {a, a, 6} for /x(a) = 2, /r(&) = 1 and ^(e) = 0 
for all e £ if \ {a, 6}. A multi-set p, is finite if so is its support set E \ /i“^(0). 
We denote by M{E) (resp. Mf{E)) the set of multi-sets (resp. finite multi-sets) 
over if, by © and 0 the sum and difference of multi-sets. We may also use the 
usual set notations, for example, if and ^2 are two multi-sets over if, C ^2 
stands for \/x € E : ^\{x) < H2(x). 

2.2 M-Nets 

M-nets (introduced in ^ and developed in PfTTlj l form a class of high-level Petri 
nets provided with a set of operations giving them a structure of process algebra. 

An M-net N is a triple {S, T, t), where S is the set of places, T is the set of 
transitions, {T x S) U {S x T) is the set of arcs, and l is the annotation function 
on places, transitions and arcs. The annotation of a place has the form A.r, 
where A is a label (entry e, exit x or internal i) and r is a type (a non-empty 
set of values from a fixed set Val). As usual, for each node (place or transition) 
r G S' U r, we denote by *r the set of nodes {r' G S U T | i{r' ,r) / 0} and, 
similarly, r* = {r' G S U T | i(r, r') / 0}. 

Transitions annotations are of the form A. 7 where A is a label (which can be 
hierarchical or for communications) and 7 is a guard (a finite set of predicates 
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from a set Pr). Hierarchical labels are composed out of a single hierarchical 
action {e.g., df) indicating a future refinement (i.e., a substitution) by an M-net. 
A transition may perform different kind of communications when it fires: 

— synchronous ones, similar to CCS ones e.g., between transitions la- 

belled by synchronous communication actions such as A(ai,...,a„) or 
A{a'i, . . . , a'^), where A is a synchronous communication symbol, A is its 
conjugate and each and a' is a value or a variable (belonging to a fixed 
set Var)-, 

— asynchronous ones, e.g., between transitions labelled by asynchronous links 

such as or b~{a 2 ), where b is an asynchronous communication symbol 

and each is a variable or a value ranging in type{b) C Val. The commu- 
nication is done via a place Sb of type T{sb) = type{b) which plays the role 
of a heap buffer. Link 6'*"(ai) means that ai can be sent to Sb and 6“ ( 02 ) 
means that 02 can be received from Sb', 

— or possibly both types at the same time. 

Communication labels are then of the form A = a. (3 where a is a finite 
multi-set of synchronous communication actions and /3 is a finite multi-set of 
asynchronous links. 

Arcs are incribed by annotations which encode the values consumed or pro- 
duced in places by a firing of an adjacent transition. If no refinement is concerned, 
they are simply multi-sets of values or variables; otherwise they are constructed 
in a systematic way from the arc annotations coming from the refined and re- 
fining nets m 

2.3 Dynamic Behavior and Concurrent Semantics of M-Nets 

For each transition t G T we shall denote by var{t) the set of all the variables 
occurring in the annotations of t and in the arcs coming to and from t. A binding 
for a transition t is a substitution cr : var(t) — >■ Val\ it will be said enabling if it 
satisfies the guard, if it respects the types of the asynchronous links, and if the 
flow of tokens it implies respects the types of the places adjacent to t. 

A marking of an M-net {S,T,l) is a mapping M:S^ Ai{Val) which asso- 
ciates to each place s G S a, multi-set of values from r(s). In particular, we shall 
distinguish the entry marking, denoted M^, where, for each s G S, Me(s) = r(s) 
if A(s) = e and the empty multi-set otherwise; the exit marking, Mx, is defined 
similarly. 

The transition rule specifies the circumstances under which a marking M' is 
reachable from a marking M . A transition t is enabled at a marking M, this is 
denoted M\t), if there is an enabling binding cr of t such that Ms G S \ l{s, t)[a] C 
M{s), i.e., there are enough tokens of each type to satisfy the required flow. The 
effect of an occurrence of t is to remove from its input places all the tokens used 
for the enabling binding a and to add to its output places the tokens according 
to cr; this leads to a marking M' such that 



Vs G S: M'{s) = M(s) 0 6(s, t) [cr] © i{t, s) [a] . 
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The above transition rule defines the interleaving semantics of an M-net 
which consists in a set of occurrence sequences. This semantics can be generalized 
by introducing the step sequence semantics which allows any number of 
transitions to occur simultaneously. 



2.4 Algebra of M-Nets 

For compositionality, we are particularly interested in a sub-class of M-nets: we 
assume that each M-net has at least one entry and one exit place, that each 
transition has at least one input and one output place {T-restrictness property), 
and that there are neither arcs going to entry places nor from exit places. Such 
M-nets are said ex-good. 

The algebra of ex-good M-nets comprises the operations listed below, where 
Ni, N2 and A3 are M-nets, A is a hierarchical symbol, A is a synchronous 
communication symbol, b is an asynchronous link symbol and / is a renaming 
function on synchronous and asynchronous symbols. 



Ni [A ^ N2] 


refinement 


^i[/] 


renaming 


N1WN2 


parallel composition 


Aisy A 


synchronization 


Ni;N 2 


sequence 


Ni rs A 


restriction 


A^iD^2 


choice 


[A : AJ 


scoping 


[Ni * N2 * A3] 


iteration 


Ai tie b 


asynchronous links 



The sequential composition “Ni; N2” means that Ni is executed first and then 
N2- The parallel composition puts nets side by side without any link between 
them so they can execute in total concurrency. The choice composes nets in 
such a way that only one of them can be executed. The iteration composes three 
nets such that the first one is executed once as an initialization part, then the 
second one is executed an arbitrary number of times as a loop part, and finally 
the third one is executed once as an exit part. The synchronization w.r.t. a 
synchronous symbol A adds to a net new transitions anticipating all possible 
synchronous communications on A. The restriction w.r.t. A removes from the 
net all unsatisfied communication capabilities on A. The scoping w.r.t. A is 
defined as a synchronization w.r.t. A followed by a restriction w.r.t. A, it is 
used to setup all synchronous communications w.r.t. A, making them local to 
the net and no longer aviable for the other synchronizations. The asynchronous 
links operation w.r.t. b, applied to a net, adds a new buffer place and arcs 
between transitions which export or import values, through b~^ or b~ , into or 
from the buffer, and removes all asynchronous link capabilities w.r.t. b from the 
inscriptions of the transitions. The refinement of the transitions labelled A in a 
net by another net is a kind of substitution which allows the refining net to be 
executed each time (for every enabling binding) the hierarchical transition in the 
refined net could fire. Renaming allows to change the names of synchronous or 
asynchronous communication symbols. Detailed explanations and some examples 
of these operations are given in BEiini. 
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2.5 Pairwise Priorities and Priority M-Nets 

Let N = (S,T,l) be an M-net. A pairwise priority relation over T is a binary 
relation p Q T x T. Intuitively, (^1,^2) G P means that during an execution of 
N , the firing of transition ^2 is always preferred to the firing of t\ when both 
are possible; in other words, t\ has a lower priority than t2- We use standard 
mathematical notations, in particular, for p QT x T, we denote: 

dom{p) = £ T I 3<2 £ T such that (^1,^2) £ p}, 

cod{p) = {t2^T \ 3 ti £ T such that (^1,^2) G p}- 

A priority M-net is a pair P = (iV, p) where N = {S, T, l) is an M-net 
(possibly having some non T-restricted communication transitions) and p is a 
pairwise priority relation over T. We call N the net part of P. 

Definition 1. Let P = {N, p) be a priority M-net, M a marking of N = {S, T, l) 
and t a transition of N such that M[t); then t is p-enabled in P at M, denoted 
M\t) p ijf$t' £ T such that M[t') and ft,t') £ p. 

Notice that p allows to disable a transition which would have been enabled 
with the usual M-nets transition rule, but not the contrary. In other words, we 
have M\f) p M\t). As for M-nets, this transition rule can be generalized in 

order to define the step semantics of priority M-nets HH. 

An algebra of priority M-nets can also be considered. The extension of the 
usual M-net operations to priority M-nets is immediate for most of them. In order 
to make the paper self-contained, we recall here the definition from HH which 
is an important for introducing the preemption operation tt and preemptible 
M-nets. 

Definition 2. Let Pi = (Ni,pi), for i £ {1,2,3}, be priority M-nets, where 
Ni = Li) , and let X be a hierarchical symbol, A a synchronous commu- 

nication symbol, b an asynchronous link symbol, and f a renaming function on 
communication symbols. The usual M-net operations are extended as follows for 
priority M-nets: 

— Pi[X ^ P2] = {Ni[X e- N2 ],p) where 
p={{t, t') £ Pi I Ai(t) A Ai(t')} 

w {{tx-t, tx.t') I ft, t') £ P2 A £ Ti A Xiftx) = X} 

W {ftx-t, t') \t if: cod{p2) A ftxA') £ Pi A £ Ti A \\ftx) = X}; 

— Pi tie 6 = ( tie 6, pi); 

— Pi[/] = (fVi[/],pi); 

— Pi sy A = (iVi sy A, p) where Nisy A = (S, T, l) and p is the smallest set 
including pi such that if t' € T results from a basic synchronization of t\ 
with t2, and 

— if 3 t" such that fti,t") G p or ft2,t") £ p, then ft' ,t") £ p, 

— if 3 t" such that {t",ti) G p or ft" ,t2) £ p, then ft" ,t') £ p. 

— Pi rs A = [Ni rs A, p), where NiVsA= {S, T, l) and p = pi fl (T x T) . 
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e.{l,2} €.{•} e,{.} 

0 0 0 



{A(a)> 






[^{A(a')} 



ti 



{B} 



0 0 0 

x.{.} x.{l,2} x.{.} 



e.{r,2} e.{.} €.{•} 




x.{.} x.{l,2} x.{.} 



P={N,{{t3,t2)}) 



PsyA = {Nsy A,{{t3,t0, 



Fig. 1. Example of synchronization of a priority M-net. (Only synchronous labels are 
represented.) Restricting on A would remove from the net transitions t\ and t2 (with 
their surrounding arcs) and pair { 13 , 12 ) from the priority relation. 



Control flow operators, as sequential composition, iteration, parallel compo- 
sition and choice, are based on reflnement and so they are deflned canonically. 
Scoping, as for M-nets, is deflned as a synchronization followed by a restriction: 
[x4 : P] = {P sy A) rs A. 

Figure 0 shows an example of synchronization in a priority M-net. Transitions 
t\ and t 2 are synchronized, leading to a new transition ^4 which “inherits” from t 2 
its priority over In figures, transitions with thick borders are those belonging 
to cod{p) and thus have the priority over some other ones. This notation is used 
in all the sequel. 

The definition of operation tt is very important in our context because it 
allows to make abortable an arbitrary priority M-net P = (N,p). The definition 
of TT presented here is slightly different from the original one from HH, but the 
modification only concerns some labels involved in the semantics of exceptions. 
We use for it the priority M-net P,r = {N-n^pO where iV^r is represented in 
figure El the priority relation being 

Pti- = {(^8,^2), { 0 , 0 ), (^3)^4)}- 

In order to produce tt{P), P is embedded in P^^ by refining transition tx and 
the resulting net is synchronized w.r.t. throw. This way, if P does not throw any 
exception, it completes and so does tt{P) by firing transition to (and no other 
transition in iV,r can Are). However, in the case where P throws an exception, 
by firing a transition labelled with throw, transition ti fires too and enables the 
abortion of 7 r(P). This abortion is performed by consuming tokens in P through 
the loop on t 2 which is synchronized with the “emptying transitions”, tg S Tg, 
added to P when tt is applied. Transitions t^ to t^ are used to transmit abortion 
to all tt’s nested in P. (More detailed explanations of this mechanism can be 
found in la-) Abortion is not elementary but, thanks to priorities, it is atomic 
in the sense deflned in m- when started, abortion cannot be interrupted. When 
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Fig. 2. Nt^, net part of P-^ where type{b) = Val, type{c) = N and 1 (^ 2 ) = °}- 



abortion is terminated, transition tg fires, triggering the handler for the raised 
exception. 

Definition 3. Let P be a priority M-net. Then, 



tt{P) = 



{abort, throw, kill, empty} : ^ P]) tie{c, b} J 

[kill' e- >• kill, empty' e- empty] 



where Pt^ is the priority M-net defined above and Ab is an auxiliary opera- 
tion which includes the additional emptying transitions; if Pt^IX P] = P' = 
{{S',T',l'),p'), then Ab(P') = {{S" ,T" , l"), p") with: 



— S" = S', and Vs G S" : i"{s) = t'(s); 

— T" = T' l±l Ts where Tg = [ts \ s € S' \ {x} A s* fl cod(p') = 0} 

ifteT', 

andVtGT" :i"{t)= { ,, , 

y {abort} Sit. th iftGTg; 



r d(s,t) ift€T', 

- V(s,t) G S" X T" : L"{s,t) = <^ {a} C Var if t = tg £ Tg, 

[0 ifteTg\{tg}; 

- p" = p'\S {(t,tg) \tg eTgAtG (’tg)*}. 
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This mechanism is directly applied to the semantics of exceptions in a pro- 
gramming language. A net semantics P of (a part of) a concurrent program 
usually contains some throw{e) -labelled transitions. It means that if such a 
transition fires, P should not continue its normal behavior but should start 
an exceptional one. Operation tt embeds P in such a way that the firing of such 
a transition in 7t(P) is taken into account and brings about abortion of all the 
part corresponding to P in tt(P). This abortion is atomic (even if composed of 
several eventsj__and when it is finished, a catc/i(e)-labelled transition can fire in 
7 t(P). Also, catch{e) is the only action related to exceptions and visible outside 
7 t(P). It is used to trigger the handler for the thrown exception. 

2.6 Preemptible M-Nets: P/M-Nets 

Preemptible M-nets {P/M-nets for short) are defined as a sub-class of priority 
M-nets with some structural constraints. These constraints allow P/M-nets to 
have interesting properties, such as to be transformable into safe Petri nets. This 
sub-class is reasonably wide (it includes ex-good M-nets) and sound with respect 
to the semantics of preemption HH. 

Definition 4. Let P = {N,p) be a priority M-net. P is a P/M-net iff either: 

— N is an ex-good M-net and p = 0, or 



P/M-nets, X is a hierarchical symbol, A is a synchronous communication 
symbol, b is an asynchronous links symbol, and f is a renaming function on 
communication symbols. 

In the following, we often use some basic P /M-nets as that shown in figure 0 
Their net parts are denoted by the label of their unique transition (he., a./.'y 
or A. 7 ). 



Fig. 3. A basic M-net used in this paper. Transition t may be either a communication 
transition in which case t(t) = 0./3.7 or a hierarchical one with r(t) = A. 7 . 



B(PN)^ is a parallel programming language comprising shared memory par- 
allelism, channel (FIFO buffer) communication with arbitrary capacities, and 
allowing the nesting of parallel operators, blocks and procedures. 

The following is a fragment of the syntax of B(PN)^ (with keywords typeset 
in bold face, non-terminal in roman face and italic denoting values supplied by 
the program): 





3 Syntax and Semantics of B(PN)^ 
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program 


:= program block 


block 


:= begin scope end 


scope 


:= com decl ; scope 


com 


:= (expr) | proc-call 

1 com II com | com ; com | do alt-set od 
block (com) 


decl 


:= var name: set 

1 var name: chan k of set 
1 procedure name (formal-parlist) block 
decl, decl 


proc-call 


:= name (effective-parlist) 



An atomic action is a B(PN)^ expression “(expr)”, i.e., a term constructed 
over operators, constants (here again, Val is the set of all possible values) and 
identifiers of program variables and channels. A program variable v can appear 
in an expression as 'v (pre- value) or v' (post- value), denoting respectively its 
value just before and just after the evaluation of the expression during an exe- 
cution of the program. A channel variable c can appear in an expression as c! 
(sending) or c? (receiving), denoting respectively the value sent or received in a 
communication on the channel c. An atomic action can execute if the expression 
evaluates to true. Thus, for example, ('u > OAu' = cl) corresponds to a guarded 
communication which requires v to be greater than zero and a communication to 
be available on channel c, in which case the value communicated on c is assigned 
to variable v. 

A command “com” is either an atomic action, a procedure call (“proc-call”), 
one of a number of command compositions operator or a block comprising some 
declarations for a command. Parentheses allow to combine the various command 
compositions arbitrarily. 

The domain of relevance of a variable, channel or procedure identifier is 
limited to the part of a B(PN)^ program, called “scope”, which follows its dec- 
laration. As usual, a declaration, in a new block, with an already used identifier 
results in the masking of the existing identifier by the new one. A procedure 
can be declared with or without parameters (in which case its “formal-parlist” 
is empty); each parameter can be passed by value, by result or by reference. A 
declaration of a program variable or a channel is made with the keyword “var” 
followed by an identifier with a type specification which can be “set”, or “chan 
k of sef' where set is a set of values. For a type “set”, the identifier describes an 
ordinary program variable which may carry values within set. Clause “chan k 
of set” declares a channel of capacity k (which can be 0 for handshake commu- 
nications, 1 or more for bounded capacities, or oo for an unbounded capacity) 
that may store values within set. 

Besides traditional control flow constructs, sequence and parallel composi- 
tion, there is a command “do . . . od” which allows to express all types of loops 
and conditional statements. The core of statement “do . . . od” is a set of clauses 
of two types: repeat commands, “com; repeat”, and exit commands, “com; 
exit” . During an execution, there can be zero or more iterations, each of them 
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being an execution of one of the repeat commands. The loop is terminated by 
an execution of one of the exit commands. Each repeat and exit command is 
typically a sequence with an initial atomic action, the executability of which de- 
termining whether that repeat or exit command can start. If several are possible, 
there is a non-deterministic choice between them. 

3.1 P/M-Net Based Semantics of B(PN)^ 

The definition of the M-net semantics of B(PN)^ programs (having no pre- 
emptible constructs) is given in |3j through a semantical function Mnet. A 
P/M-net semantics of such programs is easy to obtain through the canonical 
transformation from M-nets to P/M-nets (as defined in [TT]b 

In this paper, we introduce new constructs in B(PN)^ in order to provide it 
with exceptions. The associated semantics is given through a semantical function 
PM which extends the canonical semantics obtained from Mnet: function PM 
maps directly the new B(PN)^ constructs or overrides the semantics of some 
existing ones, in particular, of blocks, which may include now the treatment of 
exceptions. 

The semantics of a program is defined via the semantics of its constituting 
parts. The main idea in describing a block is (i) to juxtapose the nets for its local 
resources declarations with the net for its command followed by a termination 
net for the declared variables, (ii) to synchronize all matching data/command 
transitions and (iii) to restrict these transitions in order to make local variables 
invisible outside of the block. 

The access to a program variable v is represented by synchronous action 
P(u*, v°) which describes the change of value of v from its current value u* (i for 
input) ^ to the new value v° (output). 

Each declared variable is described by some data P/M-net of the correspond- 
ing type, e.g., Nvar(v, set) for a variable v of type set or N chan,k(c, set) for a 
variable c being a channel of capacity k which may carry values of type set. The 
current value of the variable v is stored in a place and m^ be changed through 
a {y(w*,w°)}-labelled transition in the data net, while {C'!(c')}- and {C?(c-)}- 
labelled transitions are used for sending or receiving values to or from channel 
c. 

Sequential and parallel compositions are directly translated into the corre- 
sponding net operations, e.g., PM(comi; 001712 ) = PM(comi); PM(coto 2 ). The 
semantics of the “do . . . od” construct involves the P/M-net iteration operator. 

The semantics of an atomic action “(expr)” is (a. 0 . 7 , 0 ) where a is a set of 
synchronous communication actions corresponding to program variables involved 
in “expr”, and 7 is the guard obtained from “expr” with program variables 
appropriately replaced by net variables, e.g., u* for 'v and v° for v'. For instance, 
we have: 

PM (('u > 0 A u' = c?)) = (^{V{v\ v°), C?(c- )}.0.{u* > 0 A = c' } , 0^ . 

The P/M-net above has one transition as shown in figure 0 Its synchronous label 
performs a communication with the resource net for variable v and for channel 
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c: it reads v* and writes v° with action V{v^,v°), and it gets c' on the channel 
with action C?(c ). The guard ensures that u* > 0 and that v° is set to the value 
got on the channel. 

4 Modeling Exceptions 

In order to model exceptions we introduce in the syntax of B(PN)^ a new com- 
mand, throw, which takes one argument which may be either a constant in Val 
in which case it is denoted by w, or a program variable in which case it is de- 
noted by V. It actually represents the exception to throw. Moreover, we change 
the syntax for the blocks as follows: 

block ::= begin scope end 

I begin scope catch-list end 
catch-list ::= catch-clause 

I [catch-clause or] catch-others [u] [then com] 
catch-clause ::= catch w [then com] 

I catch-clause or catch-clause 

Each catch-clause specifies how to react to an exception w (a value in Val). 
The optional clause catch-others can be used to catch any exception uncaught 
by a previous catch-clause; in this case, it is possible to save the caught exception 
in a variable v whose type must be Val. 

The semantics for a block “begin scope cc\ or ... or cck end” where scope is 
the scope for the block and the ccj’s are the catch-clauses (cci handles exception 
Wi, cck may be a clause catch-others) is the following: 

PM (begin scope cci or ... or cCk end) = 

{catch, noexcept} : Tr^PM(scope) ; ({noea;cept}.0.0 , 0)^ 

(^PM(cCi) n ■ • ■ n PM{cCk)[\Ptrans7mt Q {{nOCXCCpt} .9 .9 , 0)^ 



where Ptransmit and noexcept are explained below. 

If the block finishes without throwing any exception, action {noexcept} .9 .9 
is reached in 7r(PM(scope) ; ({noexcept}. 0. 0 , 0)) and the block can exit by fir- 
ing the transition which results from the synchronization w.r.t. noexcept. If an 
exception e (e is a net variable) is thrown in the block, it is either caught by 
one of the catch-clauses cCi in the block and then a corresponding PM(cCi) is 
executed, or there is no specific catch-clause for it and there are still two cases: 

— a catch-clause has been specified explicitly in cck using catch-others, in 
which case the corresponding PM(ccfc) is executed; 

— there is no catch-others specified in the block and so, the uncaught excep- 
tion e is simply re-thrown by P/M-net Ptransmit- 
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P/M-net Ptransmit IS defined has follows: 



transmit — 



r(iv«top,0) 

I if ccfc is a clause catch-others; 

I (^{catch{e) , throw{e)} .{e ^ wi A ■ ■ ■ A e ^ Wk}-^ , 0 ) 
[ otherwise. 



where Ngtop is shown in figure El and wi, . . . , Wk are the exceptions caught in 
the catch-clauses of the block. 






Fig. 4. The net Nstop used in the semantics of blocks. 



The new constructs added to the syntax have the following semantics: 
PM(throw(w)) = [{throw{w)}.9.9 , 0) 

PM(throw(u)) = ({P(u*, v°),throw{e)}.^.{e = v'’ Av° = u*} , 0) 
where e is a net variable 
PM (catch w) = ({catc/i(tc)}.0.0 , 0) 

PM(catch w then com) — PM(catch w) ; PM(com) 

PM (catch-others) = ({catch(e)}.0.{e yf tci A • • • A e yf Wk-i} , 0) 

where tci, . . . , Wk-i are the exceptions caught in the previous 
catch-clauses 

PM (catch-others v) = ({catc/i(e), P(u®, u°)}.0 

.{e yf tci A • • • A e yf Wfc-i A v° = e} , 0) 

PM (catch-others then com) = PM (catch- others) ; PM(com) 

PM (catch-others v then com) = PM (catch-others v) ; PM(com) 

The propagation of exceptions is ensured by alternating scoping w.r.t. throw 
and catch, as shown in figure El First a throw{e) is “emitted” somewhere in 
scope. Operation tt aborts the scope and “converts” the throw{e) into a catch{e) 
which synchronizes with an appropriate catch{wi), then the associated comi is 
executed. 

In figure El we assume that cck is a clause catch-others which re-throws the 
exception outside the block. Otherwise, the semantics of the blocks would have 
ensured this behavior. For 1 < z < fc, we assume that cci is a clause “catch Wi 
then com”. 

Notice that several exceptions may be thrown concurrently (from different 
concurrent parts of the block); in such a case the choice operation in the seman- 
tics of the blocks ensures that only one of them may be caught and the others 
are ignored (this choice is non deterministic). 
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Fig. 5. The semantics of a block with exceptions. A simple arrow denotes a causal 
dependence between two actions, a double arrow links two synchronized actions. The 
thick arrow denotes that abortion is performed between the occurrence of the two 
linked actions. 



4.1 Preprocessing 



On the top of the semantics given above, we build a preprocessor which rewrites 
programs, before PM is applied, in order to enforce a more intuitive behavior. 
Until now: 



1. The variables declared in a block are not visible from the commands given 
in the catch-clauses of this block. The reason is that the declarations for the 
block are made in a scope nested in tt and so they are local to it. 

2. Exceptions at the top level of the program are not handled. 



The first rewriting rule fixes the first point. It applies when a block comprises 
some declaration followed by a command and some catch-clauses (all three at 
the same time): 
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(Rl) 



begin 

declarations ; 

command 

catch-clauses 

end 



begin 

declarations ; 
begin 
command 
catch-clauses 

end 

end 



Then, we use a simple rule for the second point: 



program name 
begin 

(i?2) : program name block — ^ block 

catch-others 

end 

In order to avoid a recursive application of this rule, the preprocessor has to 
jump to block after the first application of (-R2). 

Notice that this rules changes the behavior of the program since it now 
silently discards an unhandled exception. This behavior may be undesirable and 
one may prefer a more sophisticated rule which would warn about the problem. 
Our purpose is just to show that embedding the whole program into a generic 
environment is an easy solution of this problem. 



4.2 Semantics of Procedures in the Context of Static Exceptions 

It is well known that static exceptions may lead to an unexpected behavior of 
procedures when they raise an exception. Consider for example the following 
block and its sub-block (where w is a given value): 

begin 

procedure P{) begin throw(w) end ; 
begin 

catch w 
end 
end 

One could expect the clause “catch w” to catch the exception thrown by pro- 
cedure call. But it is not the case with static exceptions: a throw occurs “phys- 
ically” where it was declared, and so, not inside the sub-block. 

In order to have the intuitively expected behavior, we extend the preprocessor 
in such a way that it encapsulates procedure declarations and procedure calls into 
some additional B(PN)^ constructs. The usual way to solve this is to consider 
an exception coming out of a procedure call as a hidden return value. If this 
value is set when the procedure returns, then this value is re-thrown at the 
call point. This way, the thrown exception continues to be propagated from the 
point where the procedure was called and not from where it was declared. To do 
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this, the preprocessor adds two additional parameters to all procedure call and 
declaration, one is used to know if an exception was thrown during the procedure 
call and the other carries the value of the exception when needed. 

A call to a procedure P is encapsulated into a block which declares two 
additional variables, ex and v, which are assumed not to be already used as 
parameters for P nor as variables already visible from P (in such a case, we just 
need to choose other names). Variable ex is set to _L if no exception is thrown 
in P, otherwise it is set to T and, in this case, v stores the value of the thrown 
exception. So, for procedure calls, we have: 

begin 

var ex : {T, _L} , var v : Val ; 
P{effective-parlist,ex,v) ; 

(P3) : P{effective-parhst) ^ ^ 

( 'ex = _L) ; exit 
od 
end 

where ex and v are fresh identifiers and effective-parlist is the list of effective 
parameters for the procedure call. 

For a procedure declaration, we have: 

procedure P{formal-parlist, 

ref ex, ref v) 

begin 

block ; {ex' = _L) 

catch-others v 

then {ex' = T) 

end 

where ex and v are fresh identifiers not already used in formal-parlist (the list 
of formal parameters) . These two new parameters are passed by reference. 

Since these rules could be applied recursively, the preprocessor uses the fol- 
lowing additional directives: for (P3), it jumps directly after the text produced 
since it does not match any other rule; for (P4), the preprocessor just has to 
jump to block since no other rule matches the rest. 

5 Applications 

Combined with concurrency, exceptions allow to express some other preemption 
related constructs. As an illustration, we give in this section two applications of 
the exceptions introduced in the paper. First, we use the exceptions in order to 
introduce in the language a generalized timeout. Second, we show how to model 
systems composed of concurrently running blocks, called threads, which can be 
killed from other parts of the program, in particular from the other threads. 
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5.1 Generalized Timeout 

A timeout is usually expressed through a construct such as: 

run comi then com'i 
before com,2 then com^ 

which intuitively means “start concurrently commands comi and coni2, if comi 
finishes before coni2, then run com[ else run com^”. Usually, com2 just waits for 
a timeout event. This may be expressed using exceptions: the command, which 
finishes first throws an exception which is caught in order to run either com'i 
or com'2- So, the syntax given above may be rewritten as the following B(PN)^ 
block: 

begin 

( comi ; throw(l) ) || ( com2 ; throw( 2 ) ) 
catch 1 then com'i 
or catch 2 then com'2 
end 

This construct can be easily generalized to an arbitrary number of commands 
running concurrently, each one trying to finish first. The “winner” kills the others 
and is the only one allowed to execute its clause then. It would also be useful 
to allow one of the clauses to be a timeout. This may be made easily using, 
for instance, the causal time model introduced in m- Thus, the syntax would 
become: 

run comi then com'i 
and com2 then com'2 

and comn then com'^ 

[ timeout d then com'^ ] 
end run 

where d is the number of clock ticks to be counted before timeout occurs. This 
generalizes the run/before construct given above and its semantics is easy to 
obtain: all comi and, optionally, a chronometer for at most d clock ticks run con- 
currently; the first which finishes stops the chronometer and throws an exception 
which is caught in order to execute the corresponding com'. 

5.2 Simple Threads 

As they are defined above, exceptions model what we could call “internal abor- 
tion” : an exception is propagated through the nesting of blocks, from internal to 
external ones. In the following, we show that exception can be used in order to 
model “external abortion” where a block can be aborted by another (non nested) 
one. For this purpose, we model a simple multi-threaded system in which pro- 
cesses (or threads), identified by process identifiers {pid for short), are able to 
be killed from any part of the system. The execution of a command “kill(s,p)” 
somewhere in the program has the effect to send signal s to the thread identified 
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by p. When it receives a signal, a thread is allowed to run a command and then it 
finishes. This behavior is a simplification of what happens in UNIX-like systems. 
We use the following syntax for threads: 

thread 

declarations for the thread ; 
command for the thread 
signal sigi then com\ 



signal sign then com„ 
end thread 

Constants sigi to sign are the signals captured by the thread; we assume 
that there exists a reserved constant SIGKILL which cannot be used in a clause 
signal (in UNIX, it is the name of a signal which cannot be captured). This 
restriction can be checked syntactically and will be useful in the following. 

The programmer is also provided with a new command “kill(s,p)” which 
may be used to send a signal s (any constant in Val) to a thread identified by p. 
One could prefer to restrict signals to a predefined set but this is not necessary 
for our purpose. The semantics for this new command is simply 

PM(kill(s,p)) = {{kill{s,p)}.ID.ID , 0). 

Inside each thread, a variable called pid is implicitly declared, it contains the 
pid allocated for the thread. This variable must not be changed by the program 
(this is easy to check syntactically). 

In order to attribute pids and to transmit signals, we use a pid server, which 
is a kind of data P /M-net, its priority relation is empty and its net part is defined 
by the following expression: 



0.{6+((pi,U)),...,&+((pfc,U))}.0 

* {kill (s,p), transmit (s,p)} MM 
[]{allocpid{p)} .{b~ {{p, U)), 6+((p, T))}.0 
□ {freepid{p)}.{b~{{p, T)),b+{{p, U))}.0 



* {PSt}-{b {{pi,xi)),. . . ,b {{pk,Xk))}M 



tie b 



This iteration is composed of three parts (separated by stars): 

— 0.{&+((pi, _L)), . . . , 6+((pfc, _L))}.0 is the initialization which sets up the 
server by filling the heap buffer represented by the asynchronous links on 
b. It is filled with pairs {pi, _L), for 1 < i < k, where the pfs are the pids and 
_L mark them free; 

— conversely, the termination, {PSt}-{b~{{pi,xi)), . . . ,b~{{pk,Xk))}M, clears 
the buffer; it can be triggered from the outside with a synchronization on 
action PSp, 
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— the repeated part is the most complicated. It is a choice between three ac- 
tions, this choice being proposed repeatedly as long as the iteration is not 
terminated. It offers the following services: 

— allocationjof a pid when a thread starts: when the transition labelled 
by {allocpid{p)}.{b~{{p,-L)),b'^{{p,T))}.^ fires, a token (p, _L) is chosen 
through asynchronous links on b and marked used (with T on its second 
component); 

— symmetrically, when a thread terminates, it frees its pid by synchronizing 
with {^epid{p)}J^{p, T)), 6+((p, _L))}.0; 

— part {kill{s,p), transmit (s,p)}. 9.$ is i^ed to transmit signal to a thread 
identified by p. It just “converts” a kill into a transmit. 



The iteration is under the scope of a tie b which sets up the asynchronous links. 

Notice that because of the choice in the loop part of the iteration, only one 
thread action (starting, terminating or killing a thread) can be executed at one 
time, allowing in this way to avoid, for instance, mutual killings. However, a 
server with more concurrent behavior may be designed. 

Provided this server, we define three internal commands (z. e., not available 
for the programmer) with the following semantics: 



— “alloc-pid(ti)” asks the server to allocate a pid which is written in variable 
V, so we have 

PM(alloc-pid(?;)) = [{allocpid{p),V{v\v°)}.$.{v° = p} , 0) 

— “free-pid(ti)” frees an allocated pid, reading it in v and so 
PM(free-pid(?;)) = ({freepid{p),V{v^ ,v°)}.9.{p = w*} , 0) 

— “capture-signals” receives a signal relayed by the server and converts it 
into an exception: 

PM (capture-signals) = 



(^{transmit{s,p),throw{s), PID{pid\pid°)}.9.{p = pid'' A pid° = pid'} 



'[\{transmit{s ,p) ,throw{SIGKILL) , PID{pid', pid°)}.9 

.{s ^ sipi A ■ ■ ■ A s ^ sig^ A p = pid' A pid° = pid'} , 0 



where szpi, . . . , sig„ are the signal already captured by the thread. 



Then, the semantics for the threads given above is a nested block structure 
as follows: 

begin 

var pid : {pi, . . . , p^} , 
var ex : Val , 

declarations for the thread ; 

alloc-pid(pz(i) ; 
begin 

( command for the thread ; th.Yaw{SIGKILL) ) || capture-signals 
catch sigi then comi 



or catch sign then com„ 
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or catch SIGKILL 
end ; 

free-pid(pj(i) ; 

catch-others ex then free-pid(pj<i) ; throw(ex) 
end 

First, we declare fresh variables pid (whose name is reserved for threads and 
must not be declared by the programmer) and ex (used to re-throw an exception 
thrown by the thread). Then we make the declarations for the thread in such a 
way that they are visible from clauses signal. The first instruction initializes pid 
with a call to the pid server. Then the commands (i) which forms the body of the 
thread and (ii) capture-signals, areput in parallel. Command capture-signals 
waits for any signal coming from outside. If this happens, the signal is converted 
into an exception which is caught accordingly to what is specified in the thread. 
If a signal which is not handled by the thread comes, it is converted into a 
SIGKILL. If the command for the body of the thread terminates, command 
t\vcaw{SIGKILL) is used to abort command capture-signals and to terminate 
the block. When the internal block is finished, the pid for the thread is freed 
and, if the termination comes from an unexpected exception, the first command 
free-pid is by-passed. A catch-others allows to free the pid in this case and 
to re-throw the unexpected exception so it is propagated to the block which 
declared the thread. 

Finally, the semantics for the program just put the pid server in parallel to 
the most external block (as for a global variable declaration), with the scoping 
on actions transmit, kill, allocpid, freepid and PSt- 



6 Conclusion 



Concurrent exceptions has been addressed in literature, for instance in the con- 
text of Goordinated Atomic Actions m or Place Gharts Nets |^. In this paper, 
we introduced static exceptions in a parallel programming language, B(PN)^, 
which is provided with a concurrent semantics based on Petri nets and for which 
implemented tools can be used 

It turned out that combining these exceptions with concurrency allowed to 
express other preemption related constructs like a generalized timeout and a 
simple multi-threading system. 

Future works may emphasize the links with real-time, for instance by intro- 
ducing causal time, already defined in ^ for M-nets, at the level of B(PN)^. 
This would allow one to express timed systems using statements like delays and 
deadlines, and thus would turn B(PN)^ into a full featured real-time language. 
Another interesting work would be to apply this kind of semantics to other lan- 
guages. We believe that, in the present state of the development, these ideas 
could be used to give a semantics for a reasonably rich (even if not fully general) 
part of the Ada programming language. 
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Abstract. This work proposes a way to model the structure and be- 
haviour of agents in terms of executable coloured Petri net protocols. 
Structure and behaviour are not all aspects of agent based computing: 
agents need a world to live in (mostly divided into platforms), they need 
a general structure (e.g. including a standard interface for communica- 
tion) and their own special behaviour. Our approach tackles all three 
parts in terms of Petri nets. This paper skips the topic of agent plat- 
forms and handles the agent structure briefly to introduce a key concept 
of our work: the graphical modelling of the behaviour of autonomous and 
adaptive agents. 

A special kind of coloured Petri nets is being used throughout the 
work: reference nets. Complex agent behaviour is achieved via dynamic 
composition of simpler sub-protocols, a task that reference nets are 
especially well suited for. The inherent concurrency of Petri nets is 
another point that makes it easy to model agents: multiple threads of 
control are (nearly) automatically implied in Petri nets. 

Keywords: agent, behaviour, concurrency, modelling, multi agent sys- 
tem, nets within nets, Petri net, reference net, structure 



1 Motivation 

To date agents are generally programmed using high-level languages such as 
Java (namely in agent frameworks as Jackal 0) or they are defined by simple 
scripts. A graphical modelling technique that captures all parts of agents and 
their systems - as UML0 in the context of object-orientation - is neither proposed 
nor in general use|U 

The proper treatment of encapsulation, structuring, and flexibility in the 
scope of modelling is at the same time a major challenge in software engineering 
as well as in theoretical computer science. 

^ UML stands for Unified Modeling Langnage. See for example m- 
^ The authors are aware of the upcoming proposals that base on UML i.e. from Odell 
et al. HIS3 (AUML). To our opinion these proposals capture only parts of the agent 
modelling tasks and leave out important areas such as agent mobility. 
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(c) Springer- Verlag Berlin Heidelberg 2001 



Modelling the Structure and Behaviour of Petri Net Agents 225 



Our department has expertise in examining to what extent Petri nets are 
suitable in the mastering of these questions. Starting from fundamental Petri net 
concepts especially Petri nets as active tokens (see m) and the basic construct 
of object oriented Petri nets (see ^7]) have been investigated. The latter have led 
to a first approach to agent oriented Petri nets (see PH] ) • A complete redesign of 
agent oriented Petri nets (see ^31 for the motivation and starting point) is now 
partly presented in this work0 Our approach aims at modelling a complete multi 
agent system in terms of Petri nets. This work decomposes into three parts: The 
system (e.g. the set of platforms) that hosts the agents, the agent itself, and its 
behaviour. A complete presentation of all three parts is out of the scope of this 
document, as the title implies, only the modelling of the structure and behaviour 
of a single agent is focused in this contribution. 

Agent orientation is marked by intelligence, autonomy and mobility 
Whilst mobility requires an interplay of one agent and the agent system intelli- 
gence and autonomy are to be found in the overall architecture of agents (auton- 
omy) and in their behaviour (intelligence). Mobility raises some hard questions 
e.g. concerning safety and is therefore not handled in this paper. Nevertheless 
our approach is easily expandable to allow forms of mobility as described in |2S|. 

Our work uses the formalism of reference nets as presented by Kummer |2,'-i] . 
Reference nets are based on the ’’nets within nets” -paradigm that generalises 
tokens to arbitrary data types and even nets. The general idea behind our work 
is that an agent controls (sub-)nets as tokens which implement special kinds of 
behaviour. To (re-)act, the agent simply has to select (and instantiate) such a 
net. Additional concepts are dynamic resolution and binding of these nets. 

The remainder of the document is organised as follows: in the following sec- 
tion 0 the formalism of reference nets is briefly introduced. Section 0 gives an 
overview of how the ’’nets within nets” paradigm can be used to model agents, 
their behaviour, and their environment. Section 0 describes the structure of the 
agents whose behaviour is determined by Petri net protocols. The net protocols 
are introduced in section 0 on the basis of an example. Section 0 cites some 
related material while the outlook in the closing section 0 names further points 
that are yet being discussed or are out of the scope of this paper. 

2 Reference Nets 

It is assumed throughout this text that the reader is familiar with Petri nets in 
general as well as coloured Petri nets. Reisig gives a general introduction, 
Jensen m describes coloured Petri nets. Generally speaking coloured Petri nets 
permit a more compact representation while offering the same computational 
power compared to for example P/T-nets. 

Reference nets 1231 are so-called higher (coloured) Petri nets, a graphical no- 
tation that is especially well suited for the description and execution of complex, 

® The redesign was necessary for several reasons. The most important one is that the 
original work did not nse the nets within nets paradigm and therefore lacked of 
architectural clearness when introducing new layers in the multi agent system. 
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concurrent processes. As for other net formalisms there exist tools for the sim- 
ulation of reference nets M- Reference nets show some expansions related to 
’’ordinary” coloured Petri nets: nets as token objects, different arc types, net 
instances, and communication via synchronous channels. Beside this they are 
very similar to coloured Petri nets as defined by Jensen. The differences now are 
shortly introduced. 

Nets as tokens. Reference nets implement the ’’nets within nets” paradigm of 
Valk jddj . This paper follows his nomenclature and denominates the surrounding 
net system net and the token net object net. Certainly hierarchies of net within 
net relationships are permitted, so the denominators depend on the beholder’s 
viewpoint. 

Arc types. In addition to the usual arc types reference nets offer reservation 
arcs, that carry an arrow tip at both endings and reserve a token solely for one 
occurrence of a transition, test arcs, and inhibitor arcs. Test arcs do not draw-off 
a token from a place allowing a token to be tested multiple times simultaneously, 
even by more than one transition (test on existence). Inhibitor arcs prevent 
occurrences of transitions as long as the connected places are marked. 

Net instances. Net instances are similar to the objects of an object oriented pro- 
gramming language. They are instantiated copies of a template net like objects 
are instances of a class. Different instances of the same net can take different 
states at the same time and are independent from each other in all respects. 

Synchronous channels. Synchronous channels ^ permit a fusion of transitions 
(two at a time) for the duration of one occurrence. In reference nets (see |23|) 
a channel is identified by its name and its arguments. Channels are directed, 
i.e. exactly one of the two fused transitions indicates the net instance in which the 
counterpart of the channel is located. The other transition can correspondingly 
be addressed from any net instance. The flow of information via a synchronous 
channel can take place bi-directional and is also possible within one net instance. 

3 Multi Agent System 

This section gives a short introduction to a multi agent system modelled in terms 
of ’’nets within nets” (see figurelO). This survey is given to make the general ideas 
visible that are prerequisite to the understanding of the concepts that follow in 
later sections of this paper. It is neither an introduction to multi agent systems 
nor the assets and drawbacks of dividing the system into platforms is discussed 
here. For a broad introduction see for example the special view taken in our 
work is a standard proposal of the ’’Foundation for Intelligent Physical Agents” 
(FIPA) ^3|. The latest publications of the FIPA can be found in |T^ . 

Take a look at figure Q The grey rounded boxes enclose nets (net instances) 
of their own right. The ZOOM lines enlarge object nets that are tokens in the 
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agent platform 




respective system netfl The upper left net of the figure is an arbitrary agent 
system with places containing agent platforms and transitions modelling com- 
munication channels between the platforms. This is just an illustrating example, 
the number of places and the form of interconnection has no further meaning. 

The first zoom leads to a closer view of a simplified agent platform. The 
central place agents contains all agents that are currently hosted on the platform. 
New agents can be generated (or moved from other platforms) by transition new, 
agents can be destroyed or migrate to another platform (transition destroy). 
Internal message passing differs from the external case so it is conceptually 
separated: The internal communication transition binds two agents (the sender 
and the receiver of a message) and allows them to hand over a message via 
call of synchronous channels. External communication involves only one agent of 
the platform. For external communication as well as for agent migration the 
communication transitions of the top level agent system net are needed. The 
interaction of the multi agent system and the agent platform is made possible 
by inscribing the transitions with synchronous channels connecting for example 
the transition external communication of an agent platform with that of another 
one via the communication structure transition of the multi agent system. These 
inscriptions are not visible in the figure. 



4 



Beware not to confuse this net-to-token relationship with place refinement. 
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The remaining nets that show the structure of an agent and an example of 
its (dynamic) behaviour in form of protocols (protocol nets) are explained in 
more detail in section 0 and 0 respectively. 

4 Agent Structure 

An agent is a message processing entity, that is, it must be able to receive 
messages, possibly process them and generate messages of its own. In this context 
it is to be noted that a completely synchronous messages exchange mechanism as 
it is used in most object orientedprogramming systems, frequently violates the 
idea of autonomy among agentslj The fundamental concepts that characterise 
agents are (in our opinion) autonomy, intelligence, and mobility. 

4.1 Abstract Agent Model 

As a Petri net model, figure El shows the most abstract view on an agent. The 
input and output transitions are a speciality of the reference nets that are used 
in the figure. They can communicate with other (input and output) transitions 
in other net copies through the use of synchronous channels (Because they are 
agents this is done via message passing) . The basic agent model takes advantage 
of the ability of a transition to occur concurrently with itselffl So the agent is 
able to receive, process, and send several messages at the same time, it does not 
block. The transition processing can be refined for concrete agents as desired. In 
this and all following net figures all not unconditionally necessary inscriptions 
have been omitted. This leads to simpler models but may sometimes bring in the 
danger of confusing the reference nets (special coloured Petri nets) with more 
basic net formalisms (e.g. P/T-nets). So the reader is kindly asked to keep in 
mind the power of the used net formalism. 

The introduced basic agent model implies an encapsulation of the agents: 
regardless of their internal structure, access is only possible over a clearly de- 
fined communication interface. In figure El this interface is represented by the 
transitions incoming and outgoing. In the figure, the realisation of the interface 
(through connection of both transitions to a messages transmission network via 
synchronous channels) is not represented. Obviously several (then virtual) com- 
munication channels can be mapped to both transitions. 

Providing a static interface is the key to interoperability amongst agents. The 
agents presented in this paper speak and understand FIPA messages Neither 
the content of the messages nor the way that they are used is limited, only 
their syntactical structure is fixed. Some advantages of the use of a standardised 
communication mechanism can be found in 0. 

® To our understanding agents are not exclusively (artificial) intelligent agents, but 
rather a general software structuring paradigm on top of the ideas of object orien- 
tation |1 9| . 

® Please note that this is not a special feature of reference nets but of all proper net 
formalisms. 
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Fig. 2. Most abstract view on an agent 



The presented agent model corresponds to the fundamental assumptions 
about agents: Because agents should show autonomy, they must be able to ex- 
ercise an independent control over their actions. Autonomy implies the ability 
to monitor (and, if necessary, filter) incoming messages before an appropriate 
service (procedure, method...) is called. The agent must be able to handle mes- 
sages of the same type (e.g. asking for the same service) differently just because 
of knowing about the message’s sender. This is one of the major differences 
between objects and agents: A public object method can be executed by any 
other object, protected methods offer a static access control that is very often 
inconvenient to the programmer and user. Without regard to the fundamental 
autonomy, an agent can obviously be sketched (or take the obligation for itself) 
to appear like an object to the outside world, therefore to be perfect coopera- 
tive. Another reason to prefer messages over for example method calls is that 
methods are fixed both in respect to their arguments (number and type) and the 
number of methods that are offered by one object. Using method calls makes it 
tricky to adapt to new situations. 

Autonomy is the major difference between agents and active objects: The 
latter may show some of the properties that characterise agents (an often used 
example is mobility) but they do not have the ability to control who is calling 
their (public) methods. Agents may have arbitrary fine grained access control. 

The model does not affect nor restrict the intelligence nor the mobility of the 
agents: Intelligent behaviour is achieved through refinements of the transition 
processing, mobility requires interaction of the agent and the agent systemlU 
Therefore, mobility is not a topic of this work, intelligence is raised again in the 
chapter on agent behaviour protocols (chapter EJ. 



^ Note that the proper handling of mobility is a research area of its own rights. There 
is already some work done m in this direction, that will soon be brought into our 
agent definitions. 
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4.2 Refined Agent Model 



Beside the fundamental agent concepts the agent model has to meet additional 
requirements concerning their ease of use: On the one hand it has to offer a high 
degree of flexibility in particular during execution and on the other hand the 
modelling process has to be manageable and adaptable. In addition for a broader 
acceptance, intuitive intelligibility of the processes within the agents is necessary. 
These considerations have played an important role in the development of the 
protocol-driven agents sketched here. 

The abstract agent net of figure 0 is refined in the following manner (see 
figure 13) : The agent net as shown in the figure is further used as the interface of 
the agent to the outside world. The transition processing is refined to a selection 
mechanism for specialised subnets, that implement the functionality of the agent, 
therefore (beside the selection process) its behaviour. These subnets are named 
protocol nets (or short protocols) in the following. 

Each agent can control an arbitrary number of such protocols, possesses how- 
ever only one net (in reference net nomenclature: one net page), that represents 
its interface to the agent system and therewith its identity. This main net (page) 
is the visible interface of an agent in the multi agent system. As mentioned before 
all messages that an agent sends or receives have to pass this net. 

The main net of the (protocol-driven) agents introduced here is given in 
figure 0 It is a refinement of the abstract agent net given in figure 0 

The central point of activity of a protocol-driven agent is the selection of 
protocols and therewith the commencement of conversations 033|. The proto- 
col selection can basically be performed pro-actively (the agent itself starts a 
conversation) or reactively (protocol selection based on a conversation activated 
by another agent) B This distinction corresponds to the bilateral access to the 
place holding the protocols (protocols). The only difference in enabling and oc- 
currence of the transitions reactive and pro-active is the arc from the place input 
messages to the transition reactive. So the latter transition has an additional 
input place: the incoming messages buffer. It may only be enabled by incoming 
messages. Both the reaction to arriving messages and the kick-off of a (new) 
conversation is influenced by the knowledge of an agent. In the case of the pro- 
active protocol selection, the place knowledge base is the only proper enabling 
condition, the protocols are a side condition. In simple cases the knowledge base 
can be implemented for example as a subnet, advanced implementations as the 
connection to an inference engine are also possible (and have been put into 
practise). Unfortunately this topic can not be deepened here any further. 

An agent has several possibilities to react to dynamically changing environ- 
ments: It may not react at all (if it decides that no changing of its behaviour is 
needed or possible), it may alter its protocol selection strategy (choose different 

® The fundamental difference between pro-active and reactive actions is of great im- 
portance when dealing with agents. An introduction to this topic is e.g. given by 
Wooldridge in (SHI (in: |H3)' 



Modelling the Structure and Behaviour of Petri Net Agents 231 




Fig. 3. Refined protocol-driven agent 



protocols for the same message type), adapt one or more of its protocoltH or 
ask other agents for protocols that suit to the new situation (protocols may be 
communicated as well). 

A selected and activated protocof^ is also called a conversation because it 
usually includes the exchange of messages with other agents. A conversation 
can however also run agent internal, therefore without message traffic. A freshly 
invoked conversation holds an unambiguous identification that is not visible in 
the figure. All messages belonging to a conversation carry this identification as 
a parameter to assign them properly. If an agent receives a messages carrying 
such a reference to an existing conversation, transition in is enabled instead 
of transition reactive. The net inscriptions that guarantee this enabling are not 

® Protocol adaptation is done in a way similar to the ” ‘reconfigurable nets” ’ formalism 
P, i.e. restricted self-modifying nets |E|- The adaptation of protocols together with 
the agent’s knowledge base unfortunately has to be skipped in this paper. 

Following the object oriented nomenclature one speaks of an instantiated net or 
protocol (that is represented in form of a net). 
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represented in figure 0for reasons of simplicity. The transition in passes incoming 
messages to the corresponding conversation protocol in execution. Examples for 
this process follow in section 0 

If the sending of messages to other agents is required during the run of a 
conversation, these messages are passed from the protocol net over the transition 
out to the agent’s main page and are handed over to the message transport 
mechanism by the transition output^ The communication between protocol net 
(conversation) and the agent’s main net takes place via synchronous channels. 

An interesting feature of any agents derived from the (template) agent in 
figure 0 is that they cannot be blocked, neither by incoming messages nor by 
their protocol^l and therefore cannot loose their autonomy. 

Examples for concrete conversation protocols are to be found in the following 
chapter 0 where a producer-consumer process is modelled exemplary. 



5 Agent Protocols 

An important field of application of Petri nets is the specification of processes 
as that in figure 0 that shows a simple producer-consumer process. In order to 
give no room to conceptual confusion, such nets that spread over several agents 
and/or distributed functional units will be called ’’survey nets”. 




Fig. 4. Producer-consumer (survey net) 



The place buffer in the middle of the figure represents an asynchronous cou- 
pling between the process of producing and that of consuming. This coupling 
is however to that extent independent that it for example blocks the consumer 
if it is empty or, given the case that it is inscribed with a capacity, blocks the 
producer when this maximal filling is reached. In the following, producer and 
consumer are introduced as autonomous agents and are modelled according to 

The message transport mechanism is part of the agent system (or platform) and is 
therefore only sketched in section 0 

Unless it is strictly necessary for a protocol to block the entire agent and this is 
explicitly modelled. 
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figure El by means of a reference net. The buffer is not modelled as an indepen- 
dent agent, nevertheless this would both syntactically (this will be explained in 
the following) and semantically (in consideration of the level of autonomy the 
buffer owns) be no problem. 

An interesting point is the re-usability of the protocols: Consider a refined 
model in which the buffer should play an active role and should therefore be 
modelled as an agent of its own. The protocols of the producer and the consumer 
remain structurally unchanged, only the addressees of their messages have to be 
adapted. But these should be modelled dynamically in any case. 

Note that this is not the first work that uses the consumer-producer process 
as an example to illustrate new ideas of how to model and structure software 
systems by means of Petri nets. It is for example used by Reisig to introduce 
Petri nets in general m and by Valk to show different models of synchronisation 

|EJ. 

The following example assumes that the buffer is restricted by a capacity of 
one item. This restriction is for simplification purposes only and may be lifted 
easily. The restriction is indicated in figure El by the grey place capacity under 
the buffer place. 




Fig. 5. Synchronous producer-consumer 



The producer-consumer survey net is refined to the net in figure 0 which 
uses an explicitly modelled synchronous message exchange. The buffer and its 
capacity get carried away to form the message transport system. The message 
transport system is also the borderline of the two agents producer and consumer 
that will be introduced in the following subsections. The producer produces one 
item (denoted as i in the figure) and sends it to the consumer. The producer has 
to wait for an acknowledge (a) from the consumer to fire the transition rec.ack. 
in order to reach its initial state. When the consumer receives an item it sends 
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the acknowledge (send ack.) and consumes the item received. After consuming it 
is ready to receive the next item. 

The marking of the net in figure El indicates the starting points of the protocol 
nets telling the agents how to produce or consume: The production protocol 
has to be selected pro-actively and starts with the production of an item. The 
consume protocol is selected in a reactive manner to process an incoming message 
from the producer containing an item. 

5.1 Producer 

The protocol of the producer agent is represented in figure 0 The upper tran- 
sitions with the channels ;start, ;out, :in, and ;stop are typical for all types of 
protocol nets. The :start channel serves as a means to pass possibly necessary 
parameters to the protocol. It is called on the agent main page (see figure 0 
either by transition reactive or pro-active. The channels :in and :out are responsi- 
ble for the communication of an operating protocol with the environment. They 
connect to the transitions of the same denominators on the agent’s main page. 
When a protocol has finished its task, the transition inscribed with channel :stop 
is enabled. By calling of this channel the agent may delete the protocol or, more 
correctly, the protocol instance. 



I |:start() | ^ :out(i) | | :in(a) | |:stop() 



After the start of the protocol the transition produce produces a performa- 
tiv^i^ (here i) containing an item, that is directed to the consumer. Note that 
in the example the performative is the only thing that is produced. The perfor- 
mative will be sent over the :out channel; subsequently the protocol is blocked 
waiting for an answer message. The blocking behaviour is necessary to simulate 
a synchronous communication between producer and buffer. Without waiting for 

Some of the ideas that led to the agent model introduced here are partially orig- 
inated in the area of the KQML- (lEI) or FIPA-agents (DU)- Roughly speaking 
a performative is a message. KQML stands for ’’Knowledge Query and Manipula- 
tion Language”, FIFA is the abbreviation of ’’Foundation for Intelligent Physical 
Agents” . 




produce 



send 



wait acknowledge 
received 



Fig. 6. Produce protocol 
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an answer the producer would be able to ’’inundate” the buffer with messages, 
what requires an infinite buffer capacity. An arriving confirmation enables the 
transition acknowledge received. After occurrence of that transition the protocol 
is not blocked any further and terminates (by enabling the stop transition) . The 
producer agent is now able to select and instantiate the produce protocol again. 

5.2 Consumer 

The protocol net that models the consume behaviour of the consumer agent (see 
figure [TJ is selected {reactively) by the agent’s main page to process an incoming 
performative from the producer agent. It is instantiated and the :start channel is 
used to pass the performative to the protocol. Beside others the performative is 
needed to send a acknowledge performative to the originator of the conversation 
(the producer). Note that the consumer agent does not know the producer or if 
there is one or several of them. The protocol works in either case. 



:start(i) 



:out() 



□ :stop() 



(>k: 



JJ 



-I H 



send 
acknowledge 



0“'“'Q — O 



consume 



Fig. 7. Consume protocol 



The consumer can block an arriving message as long as it wants, until it 
is ready to ’’consume” the carried item. In figured this is represented by the 
transition send acknowledge. After acknowledging the receipt of the item the 
transition consume may occur. After that the protocol terminates and can be 
deleted. 

Figures IHI and 0 show the protocols that model a conversation between pro- 
ducer and consumer. They are executed within agents of the type of figure 0 The 
figures form a simple example that illustrates how to model a producer-consumer 
process by means of agent oriented Petri nets. The proposed methodology to im- 
plement protocol nets in a top-down manner starting with so-called survey nets 
is not the only possibility to develop protocols. One can easily think of a bottom- 
up style or mixed cases especially for hierarchical protocol relationships as in the 
following subsection. Unfortunately this topic can not be deepened here. 
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5.3 Refined Producer 

Consider a producer capable of producing several different items. The naive ap- 
proach to model this more powerful producer is to enlarge the producer protocol 
of figure El and to use this new protocol afterwards. For several reasons this is 
not a good ideaQ 

— Redefinition of existing nets is tiresome and error-prone. 

— Large nets tend to be complex and thus difficult to understand and maintain 
(see above). 

— Further enhancements become more and more difficult. 



I I :start() 



I I :out(i) 

i 



O — «□--<) 

produce item1 



Fig. 8. Internal produce protocol 



For these reasons the new produce process is split into pieces. First protocols 
for the different produce procedures like that in figure El have to be modelled. 
Now the production of the items can be driven from other protocols inside the 
producer agent. An example of such a higher-order protocol is a description of 
the following specification: imagine a consumer that does not care if it receives 
items of type 1 or type 2. In that case the producer can decide to produce items 
maybe on reasons of availability or price. 

This decision is independent of the production proces^^ should therefore 
be carried out in an independent protocol. This protocol is shown in figured The 
protocol is an extension to the producer protocol of figure 0 At first a decision 
is made about the type of item to produce (transitions il and i2). After that the 
protocol has to send a message to the selected production protocol, e.g. to that 
of figure El The protocol waits for the item to arrive, sends it to the consumer 
and so on. It may appear that the protocol net in figure El shows a conflict 
introduced through several transitions carrying the same synchronous channel. 
This possible conflict is resolved through additional inscriptions concerning the 
type of message that is the argument of the synchronous channels. 

This enumeration could easily be continued. 

Certainly only to that extent that an informed decision needs to know something 
about the needs of the production. 
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Fig. 9. Production alternatives 




:stop() 



Fig. 10. Decision protocol 



Note that this solution is not optimal considering the reasons for not enlarging 
existent nets. As a consequence the process of decision making is sourced out 
to a protocol of its own; it may be used by other protocols, too. To illustrate 
this, figure EH shows the new decision protocol. The new produce protocol is 
quite similar to the original one, just the decision protocol is called instead of 
producing. 



6 Related Work 

Note that this is not the first approach to use Petri nets to model or implement 
agents. This section will give an idea of similarities and differences between our 
work and that of other researchers. 

A major difference between related work of other authors and our approach 
is the use of reference nets and therefore the nets within nets idea. To our knowl- 
edge there are no other implementations of this net paradigm beside reference 
nets. Despite of this difference there are certainly similarities to the results of 
other researchers. This work aims at modelling multi agent systems as a whole. 
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Therefore it is not possible to relate it to work dealing with smaller parts of 
agents (e.g. the planning process or reasoning in uncertainty). This will be made 
up when discussing these parts of our work in future publications. 

Sibertin-Blanc et.al. implement agent behaviour in form of Cooperative 
Nets m- Cooperative nets model the behaviour of objects, this approach is 
enlarged to agents. While the basic idea to model the behaviour is somehow 
similar to our work there are also differences: The behaviour of a (cooperative) 
object is statically defined by one net, it can not be altered or adapted at runtime, 
which is a major drawback for agents. Furthermore, the work of Sibertin-Blanc 
et.al. contains no notion of an multi agent system. 

Holvoet ng proposes Petri net agents that shall communicate in a manner 
similar to synchronous channels. Like Sibertin-Blanc (see above) he does not ex- 
plicitly handle multi agent systems. The proposed agents are not autonomous in 
the strict sense presented in section0of this paper, because their interaction (via 
transition synchronisation) is not filtered by an interface but directly concerns 
the transitions modelling the agent’s behaviour. So a proper encapsulation of 
the agents can not be assured, the agents are rather active objects. The agents 
Holvoet proposes are ’’special agents”: They are specialised and restricted to do 
tasks that are exchangeable protocols to the agents introduced in this paper. 

Fernandes and Belo m introduce a modelling case study that uses coloured 
Petri nets to model multi agent systems activities. They do not model single 
agents (that are token in their approach) but the overall system behaviour for 
one example system. 

Miyamoto and Kumagai enhance the Cooperative nets (by Sibertin- 

Blanc, mentioned above) in several ways to multi agent nets. Their work is closer 
to our approach because it uses quite similar protocols to define the agents’ 
behaviour. Their protocols offer public interfaces, therefore they are not au- 
tonomous in our strict sense. 

Xu and Shatz m build agents on top of the G-Net formalism of Figueiredo 
and Perkusich El. Despite of the different formalisms their work has some 
similarities to ours, namely the planning process (how to react to incoming 
messages) . The main difference between the approaches is that their multi agent 
system is completely unstructured. Therefore mobility is not taken into account. 
Furthermore their agents have a fixed set of methods and may only adapt by 
changing their goals, plans and knowledge, not by reconfiguring, adapting or 
exchanging their actions (methods). 



7 Outlook 

In consideration of the topic of this paper some interesting aspects of the agent 
introduced here could not be mentioned: the protocol nets an agent possesses are 
interchangeable at run time (so the agent allows this). A mobile agent (mobility 
is possible in the multi agent framework but not introduced here) that arrives 
at an agent platform can adopt the protocols valid there as his own. 
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The modelling process is a topic of its own rights. The transformation of a 
survey net that describes an entire conversation (as given in figure 0) to the 
protocol nets is exemplarily carried out in m (in German). 

A further point concerns the protocols themselves: only very simple proce- 
dures were shown. More complicated protocols include a hierarchical nesting that 
is constructed at run time by mutual calls of protocols (in contrast to protocols 
forming a conversation this is done within one agent). In this way a dynamic 
adaptation of the agents via self modification becomes possible. 

Besides intuitive and compact modelling of concurrent processes Petri nets 
are particularly well-known for their provability. It should not be concealed that 
there are no standard proving techniques nor frameworks for reference nets. This 
is a major drawback because exhaustive testing via simulation is not always 
wanted nor possible. There is an ongoing PhD. thesis in our department that 
deals with the question of property conserving composition in agent Petri nets, 
first results of this work can be found in [22|. This is a very promising approach 
because it fits to the compositionality of the protocols presented in this work: 
Once a property like liveness has been proven for a protocol net, it may be used 
in any conversation without loosing this property (subject to the condition that 
all other protocol offer this property, too). 

At present the knowledge base is in an internal discussion. There exists a 
Prolog interpreter that is implemented in Java and therefore can be integrated 
into the reference net simulation tool Renew. It is used as an inference engine in- 
side the agents in more elaborated examples. Desirable is a graphically modelled 
knowledge model. 
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Abstract. Latvala and Heljanko have presented how model checking 
of linear temporal logic properties of P /T nets with fairness constraints 
on the transitions can be done efficiently. In this work the procedure 
is extended to high-level Petri Nets, Coloured Petri Nets in particular. 
The model checking procedure has been implemented in the Maria 
tool. As a case study, a liveness property of a sliding window protocol 
is model checked. The results indicate that the procedure can cope 
well with many fairness constraints, which could not have been han- 
dled by specifying the constraints as a part of the property to be verified. 

Keywords: Model checking, fairness, LTL, high-level Petri Nets. 



1 Introduction 

Model checking has established itself as one of the most useful methods 

for reasoning about the temporal behavior of Petri Nets. Currently there are 
several Petri Net tools which offer model checking of either linear or branching 
time properties of Petri Nets (see e.g. [I29i:i7j l. 

Model checking liveness properties differs from model checking safety proper- 
ties. In many cases certain unwanted behaviors of the model must be ignored, to 
facilitate model checking of liveness properties. This is usually done using fair- 
ness assumptions 0 ■ For Petri Nets this means that the behavior of a transition 
or several transitions is restricted according to the fairness assumption. The only 
support Petri Net model checkers so far have offered for this is by model checking 
properties with formulas of the form "fairness property" . Using many fair- 

ness assumptions makes the formula long and therefore quickly makes the model 
checking intractable, since the model checking problem is PSPACE-complete m 
in the size of the formula. 
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Latvala and Heljanko presented in m how P /T nets with fairness constraints 
on the transitions can be model checked efficiently by giving semantics to the 
P/T net with a fair Kripke structure (FKS) flj. The FKS is then model checked 
with a procedure similar to the one presented in [HI- It can, however, be difficult 
to model large systems with P/T nets, and therefore there is a need to extend 
the procedure to high-level nets. 

The main contributions and results of this work are the following. A pro- 
cedure for model checking high-level Petri Nets with fairness constraints on 
the transitions is presented. The procedure is a generalization of the procedure 
in m- Included is also the proof of correctness of the construction, which were 
only briefly touched upon in m- The procedure has been implemented in the 
MARIA analyzer. Using a model of a sliding window protocol, the implementa- 
tion is tested. A liveness property of the protocol is verified with a window size 
up to 11, without any reduction methods. This could not have been done with 
the fairness constraints as part of the property to be verified. 

The rest of the paper is structured as follows. In Section 2 Coloured Petri 
Nets are defined and Fair CPNs are introduced. Section 3 covers the necessary 
automata theory and presents the model checking procedure. The implementa- 
tion of the model checker is covered in Section 4. The sliding window protocol 
is modeled and analyzed in Section 5. Section 6 concludes the paper. 

2 Coloured Petri Nets 

2.1 Definition of Coloured Petri Nets 

The definition follows quite faithfully the definition of Coloured Petri Nets in m 
CPNs were chosen because they are relatively simple to define while still being 
high-level Petri nets. Also, the fact that they are well-known contributed to 
their choice. The results to be presented later can easily be generalized to other 
high-level Petri net classes. 

No concrete syntax and semantics for the net expressions will be given. We 
will however assume that it exists so that the following concepts are well defined. 

— Type{e) - The type of the expression e 

— Var{e) - The set of variables in an expression e. 

— A binding b{v) associates with each variable v a value of the type of the 

variable. 

— e{b) - The value obtained by evaluating the expression e with the binding b. 



Definition 1. A tuple E = {U,P,T,A,N,C,E,G,Mq) is a Coloured Petri 
Net (CPN) ini' where, 

i. ) n is a finite set of non-empty types or colour sets. 

ii. ) P is a finite set of places. 

Hi.) T is a finite set of transitions, such that P C\T = 0 . 
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iv.) A is a finite set of arcs, such that PC\A = TC\A = %. 

V.) N : A ^ {P X T) U {T X P) is a node function. 

vi. ) C : P ^ n is a colour function. 

vii. ) E is an arc expression function, defined from arcs to expressions, such 

that \/a € A : E{a){b) is a multi-set over the colour of the place component 
of the arc, for all legal bindings b. 

via.) G is a guard function, defined from transitions to expressions, such that 
G{t){b) € {true, false} for any legal binding b and t G T. 
ix.) Mq is an initial marking. 

We define the following notations: 

— A(x) = {a G A \ 3 x' G PUT : [N{a) = (x, x') V N{a) = fx' , x)]} 

- A{xi,X 2) = {aG A \ N{a) = {xi,X2)} 

— yt GT : Varft) = | G Var{G{t)) V 3 a G A{t) : v G Var{E{a))}. 

- \/{xi,X2) G {PxTUTx P) : E{xi,X2) = EaSA(^l,^2) 

A(x) returns the set of surrounding arcs, i.e. the arcs that have a; as a source or 
a destination, for a given node x. A(xi,X2) return the arcs which are between 
the nodes xi and X2. Var{t) is the set of variables of t, while E{xi,X2) is the 
expression of (a;i,a;2) and returns the multi-set sum of all expressions connected 
to the arcs which have x± and X2 as nodes. 

Definition 2 . A token element is a pair (p,c) G P x G{p). The set of all 
token elements is denoted by T£. A marking is a multi-set over T£. 

Because each marking defines a unique function M(p), which maps each place 
to a multi-set over the colour set of the place, a marking is usually presented as 
a function on P. 

Definition 3 . A binding of a transition t GT is a binding function on Var{t) 
such that Vw G V ar{t) : b{v) G Type{v) and G{t){b) = true. We denote the 
binding t{b) and call t{b) an instance oft. A transition instance t{b) is enabled 
in a marking M ijfVpGP: E{p,t){b) < M{p). 

The function en{M) returns the transition instances which are enabled in the 
marking M . If a transition instance t{b) G en{M) it can occur changing M into 
another marking M' which is given by 

Mp G P ■. M'{p) = M{p) - E{p,t){b) + E{t,p){b) 

Hence M' is reachable from M, which we denote by M ^ M' . 

The behavior of the net is given by the Kripke structure of the net. 

Definition 4 . The Kripke structure of a CPN E is a triple K = {S,p,sfi), 
where S is the set of markings, p is the transition relation, and sq is the initial 
marking. S and p are defined inductively as follows. 
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1. So — ^0 C S 

2. If M G S and M — ^ M' then M' G S and {M, M') G p. If M £ S and 
en{M) — 0 then (M,M) G p. 

3. S and p have no other elements. 

The executions of the net are infinite sequences of markings f = M 0 M 1 M 2 ■ ■ ■ , 
for which {Mi, M^+i) G p for all i > 0. 



2.2 Petri Nets and Fairness 

Fairness can be a useful abstraction, when one does not want to model the 
details of the scheduling required in the implementation of the system. Using 
fairness assumptions for the transitions is perhaps the most convenient way one 
can restrict the set of legal executions to the desired ones when verifying liveness 
properties. Fairness does not affect safety properties. The most common fairness 
assumptions are known as weak fairness and strong fairness. In |Zj they are 
defined using the familiar concepts of enabledness and occurrence of the relevant 
events. An event is weakly fair when continuous enabledness implies that the 
event occurs infinitely often. For some situations, however, weak fairness is not 
enough. In this situation strong fairness might be appropriate. Strong fairness 
assumes that if an event is infinitely often enabled then it will occur infinitely 
often. 

There is some related work which has combined model checking and fairness 
constraints. Latvala and Heljanko presented how P/T nets can be extended with 
fairness constraints and model checked. In [3| Emerson and Lei presented how to 
cope with strong fairness constraints when model checking CTL properties of a 
Kripke structure. A similar method was used to design a BDD based algorithm 
when the property was given as an automaton in m while in HD a procedure for 
model checking LTL properties using BDDs with both weak and strong fairness 
constraints was presented. 

The traditional way of incorporating fairness when model checking Petri nets 
exploits the fact that fairness is expressible by LTL. First, one usually has to 
add places and transitions to the model so that the occurrence of transitions 
is explicitly visible in the reachable markings. These modifications in a sense 
model a scheduler and have to be made because the state based version of LTL 
can only express properties of markings and thus cannot express properties of 
the transitions unless they are explicitly visible in the Kripke structure. The 
model is then verified by checking the formula "fairness => property". This 
approach has several drawbacks. The two most obvious ones are that adding 
places and transitions might increase the size of the state space, and that the 
size of the Biichi automaton representing the property can grow exponentially 
in the number of fairness constraints (see e.g. 0). A more subtle drawback is 
that adding the scheduler often reduces the concurrency in the model, which 
may affect the performance of some partial order methods (see e.g. m)- 
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Let ^ = Mq Ml ...^ with Mi A^i+i, be an execution of a 

CPN. A fairness function A is a function from transitions to boolean valued 
expressions. We define ENp^i(^) = true if 3t{b) S en{Mi) : F{t){b) = true- 
otherwise ENp^i{^) = false. Also let OCp^i{^) = true if F{ti){bi) = true-, other- 
wise OCp^i{f,) = false. These two functions return true if a transition instance is 
enabled (ENp^i{f^)) or has occured (OCp^i{f)) w.r.t. a fairness function. Denote 
the quantifier “there exist infinitely many” by 3“ and then let InfENp{f) and 
InfOCp{^) be defined in the following way: 



InfENpiO 



( true if 3“i : ENp^i(f^) = true 
\ false otherwise. 



InJOCHO = 



if 3‘^i : OCp^i{^) = true 
otherwise. 



Now strong and weak fairness can be defined w.r.t. a fairness function. An ex- 
ecution is strongly fair if the set of transitions instances, defined by a fairness 
function F, are infinitely often enabled implies that they occur infinitely often 

m- 



InfENp(f) ^ InfOCp(f). 

The definition for weak fairness is that persistent enabling implies an occur- 
rence m- 



Vz e N : ENp^,{i) ^ 3k >i-. [^ENp^kif) V OCp^kii)] 



The semantics of our fairness constraints are equivalent to those presented by 
Jensen in [El, but the notation is a little different. 

We now extend CPNs with fairness constraints on the transitions. 



Definition 5. A fair CPN (FCPN) is a triple Ep = {S ,W F, SF) where 
E is a CPN and WF — {wfi,...wfk} a set of weak fairness functions, 
where wfi is a function from the set of transitions to expressions such that 
Var{wfi{t)) C Var(t) for all t € T and wfi{t){b) S {true, false} for any legal 
binding b of the expression. SF = {sfi,... ,sfm} is the corresponding set of 
strong fairness functions with similar restrictions. An execution is an infinite 

sequence of markings and transition instances ^ = Mq Mi ■ ■ ■ , such 



that for all i > 0 there exists ti{bi) for which Mi and ^ obeys the 

fairness constraints defined previously for all weak and strong fairness functions 
in WF and SF. 



The expression of a fairness function is true for all instances, which should be 
treated as equivalent; if one of the instances is fair, the fairness requirement has 
been satisfied. 
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In the following discussion we only consider finite state and finitely branching 
net systems. For analysis purposes these execution based semantics are not very 
convenient. Something similar to a Kripke structure is needed. However, the be- 
havior of a FCPN cannot be described accurately by a Kripke structure because 
the fairness constraints are not taken into account in any way. Some mechanism 
is needed so that unfair executions can be rejected, and only those which conform 
to the fairness constraints are accepted. One way of doing this is by extending 
the definition of a Kripke structure to a fair Kripke structure. It could have been 
possible to extend a labeled transition system (LTS), but as they in fi] use a 
state based approach and the fastest available Streett emptiness algorithm EH 
is state based, extending Kripke structures seemed more appropriate. 

Let p = S 0 S 1 S 2 ... e be an infinite sequence of states. The set of states 
occuring infinitely often in the sequence is given by: 

Inf{p) = {s e I 3“ : p{{) = s} 

Definition 6. A fair Kripke structure (FKS) m is a quintuple Kp = 
{S, p,sq,W,S), where S is a set of states, p C S x S is a transition relation 
and sq £ S is the initial state. The fairness requirements are defined by a set of 
weak fairness requirement^ W = { Ji, J 2 , . . . ,Jk} where Ji C S, and a set of 
strong fairness requirements, S = {(Li, t/i), . . . ,{Lm,Um)} where Li,Ui C S. 
An execution is an infinite sequence of states a = sqSiS 2 ■ ■ ■ € 5*“, where sq is the 
initial state, and for all i > 0, (si, s^+i) G p. Computations, i.e. fair executions of 
the system, are sequences that obey the fairness requirements Ai=i Inf{a)r\Ji yf 
0 and !\!iLi{Inf{a) fl = 0 V Inf (a) 0 yf 0). 

An execution tr is a computation if both the weak and strong fairness require- 
ments are satisfied. From each weak fairness set, at least one state occurs in- 
finitely often in the execution and for each strong fairness if a state from a set 
Li occurs infinitely often, also state from Ui must occur infinitely often in the 
execution. 

Using the fairness requirements of the FKS, it is possible to only accept 
the computations which adhere to the fairness constraints on the transitions for 
FCPN. However, generating a FKS from a FCPN is not completely straight- 
forward. For the same reason that a normal CPN must sometimes be modified 
in order for the LTL formulas to be able to express the fairness assumptions, a 
FKS cannot simply be a normal Kripke structure where we have added some 
fairness sets. The occurrence of transition instances must be made explicit in the 
FKS. Here, this is done by adding an intermediate state for each occurrence of a 
transition instance in the FKS. We make the transition “visible” by adding the 
intermediate state. For instance, if in the normal Kripke structure the marking 
Mj is followed by My+i when taking the transition instance t{b), in the FKS this 



^ In order to have consistent terminology weak and strong fairness are used instead of 
justice and compassion as in M- 
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sequence will have an intermediate state. If the intermediate state is denoted by 
the sequence will be MjMt(b)Mj^i. With the intermediate states added 
it is now possible to use the weak and strong fairness sets to ensure that only 
executions which obey the fairness constraints on the transitions are considered 
legal. 

The states of the FKS are defined as pairs (M, t{b)) so that the intermediate 
states can be distinguished from “normal” states. The special symbol T replaces 
the transition instance if the state is not an intermediate state. Hence, to obtain 
a FKS Kp = {S, p, so) kV, S) from a FCPN Ep = {E, WF, SF), we define S and 
p inductively as follows: 

1 . so = {Mo,E)gS. 

2. If (M, ±) gS and M M' then, (M', t{b)) G S, (M', E) G S and 
((M, T), (M', t{b))) G p, ((M', t{b)), (M', T)) G p. If (M, T) G 5 and 
en{M) = 0 then ((M, T), (M, T)) G p. 

3. S and p have no other elements. 

The weak fairness sets and the strong fairness sets are defined as: 

1. For each wf^ G WF the weak fairness set is 

- J, = {(M,T) G S I yt{b) G en{M) : wf,{t){b) = false} U {{M',t{b)) G 
S I wfi{t){b) = true}. 

2. For each s/j G SF the strong fairness sets are 

— Li = {{M,E) G S I 3t{b) : t{b) G en{M) A sfi{t){b) = true} and 

- Ui = {{M',t{b)) G S I sfi(t){b) = true}. 

We are now ready prove that the construction of the FKS is correct, in the sense 
that the semantics of the fairness constraints are as we wanted. 

Theorem 1. Let Ep be a FCPN. f = Mq M\ ■ ■ ■ is a fair execution 
of Ep, if and only if the the FKS of the FCPN has a computation . (Under 
the assumption that Ep is finite state and finitely branching.) 

Proof. See m- 

Example. Consider a simple system consisting of a sender and a receiver. The 
sender can send n different messages to the receiver and the receiver acknowl- 
edges the messages. The communication could be modeled so that a sent message 
can be lost, while acknowledgements always come through. A Petri Net model 
checker would declare that if a message is ready to be sent, it would not always 
be received. A closer study of the counterexamples reveals two reasons. A mes- 
sage may not be sent because only one type of messages are sent even if though 
all types are ready to be sent, or the channel looses all messages. This could be 
remedied by including scheduler in the model, however, a simpler solution would 
be to use some fairness constraints on the transitions. By giving the transition 
“Send” a weak fairness constraint w.r.t the message type and the transition 
“Receive” a strong fairness constraint w.r.t the message type, the model checker 
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Acknowledge M 




Send 



color M= int with l..n declare ms; 
var x: M; 



Fig. 1. FCPN model of the sender-receiver system. 



would now report that the property holds. The weak fairness constraint ensures 
progress, so that no message type is left unsent when it is ready. The strong 
fairness constraint ensures that a message gets through eventually if it is resent. 
A FCPN model of the fair system can be found in Figure ID 

3 Model Checking LTL 

3.1 u;-Automata 

The close connection between automata on infinite words and LTL is used by 
many model checking procedures. Here the necessary automata theory is intro- 
duced and the most important terms are defined. 

Biichi automata are the basic theoretical construction for every LTL model 
checker which uses the automata theoretic approach. 

Definition 7. A labeled generalized Biichi automaton (LGBA) is a 
tuple A = {Q, A, I, T ^ T>, V), where Q is a finite set of states, A C Q x Q is the 
transition relation, I is a set of initial states, T — {Fi, Fj, . . . , F„} with Fi C Q 
is a finite set of aeceptance sets, T> some finite domain (in LTL model checking 
V = 2^^ for some finite set of atomic propositions AP) and V \ Q ^ 2^ is 
a labeling function. A run of A is an infinite sequence of states p — go 9 i <?2 • ■ • 
such that go € I and for each i > 0, {qi, qi+i) € A. 

Let the operator Lnf{p) be defined similarly for a run as for an execution. A 
run p is accepting if for each acceptance set F^ £ F there exists at least one state 
q G Fi that appears infinitely often in p, i.e. Inf{p) fl F, 0 for each Fi £ T . 
An infinite word f = xoX\X 2 ... £ is accepted iff there exists an accepting 
run p = qaqiq2 ... of A such that for each i > 0, Xi G P{qi). If F = {Fi} the 
LGBA corresponds to an ordinary Biichi automaton. 
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With Streett automata it is possible to extend the LTL model checking pro- 
cedure to also cope with strong fairness in an efficient manner. 

Definition 8. A Streett automaton (see m for an arc labeled version) is a 
tuple A = (Q, Z\, 1, 17, 2?, 7^), where Q, A, I, T> and V have the same meanings 
as above. 17 = {(Li, C/i), . . . ,{Lk,Uk)} with Li,Ui Q Q is a set of pairs of 
acceptance sets. A run of a Streett automaton is defined in the same way as for an 
LGBA. The Streett automaton accepts a run p = (?o 9 i <?2 • ■ • if = 

0 V Inf{p) nUiy^ 0). 

We can read the acceptance condition as that the automaton accepts when “for 
each i, if some state in is visited infinitely often, then some state in Ui is visited 
infinitely often” . We define the set of infinite words accepted by A analogously 
to the LGBA case, using the new acceptance condition 17. 

Streett automata and generalized Biichi automata both accept the class of 
oj-regular languages, however, there is no polynomial translation from a Streett 
automaton to a Biichi automaton (see e.g. PEI). The converse can easily be done 
by letting Li = Q and Ui = Ft. 

The set of w- words the automaton A accepts is denoted by C{A), and it is 
called the language of A. C{A) = 0 denotes that the language accepted by A is 
empty. Determining whether £(A) = 0 is referred to as performing an emptiness 
check. 

3.2 LTL Definitions 

Linear temporal logic (LTL) 1221 is commonly used for specifying properties 
of reactive systems. LTL is interpreted over infinite executions which makes it 
appropriate to specifying properties of the executions of a Kripke structure. 

Given a finite non-empty set of atomic propositions AP, LTL formulas are 
defined inductively as follows: 

1 . Every member p G AP is a LTL formula. 

2. If if and are LTL formulas then so are -up, pV if, X p and p U if. 

3. There are no other LTL formulas. 

An interpretation for a LTL formula is an infinite word f = xqX\X 2 ■ . ■ over the 
alphabet 2^^ , i.e. a mapping ^ : N — >■ 2^^ . The mapping is interpreted to give 
the propositions which are true; elements not in the set are interpreted as being 
false. With we mean the suffix starting at index i, namely XiXi.\.iXi .\.2 .... The 
semantics of LTL are given by the following: 

— f \= p ii p € xq, the first index of f, for p S AP. 

— I \= ^p a ^ ^ p. 

— (\=p\/tpiff\=porf\=ilj. 

— ( \= X p a p. 

— f \= p U '0 if there exists an * > 0 such that fi \= fp and fj ^ p for all 

0 < j < i. 
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The constants T = p V -ip, for an arbitrary p G AP, and F = -iT denote 
atomic propositions which are always true and respectively false. Commonly 
used abbreviations are Op = T C/ p, Dp = -lO-ip and the usual boolean 
abbreviations A, => and <t^. 

By mapping the execution of a CPN or a FCPN to a sequence it is then 
possible to use LTL to specify properties of the executions. 

Definition 9. The corresponding sequence of an execution Ck = MqMi . . . 
of the Kripke structure of a CPN is the sequence generated hy the function 
seq(fK) which maps each marking in the execution to the corresponding sub- 
set of atomic propositions by evaluating the atomic propositions in the marking. 
The corresponding sequence fp of a computation fp = S0S1S2 ... of the FKS of 
a FCPN is the sequence generated by the function seqp{(p) which maps every 
second state in the computation to the corresponding subset of atomic proposi- 
tions by evaluating the atomic proposition in the marking component of every 
second state in the sequence, starting from sq- 

Thus it is now possible to define two problems related to model checking of LTL, 
which are especially interesting for verification of systems modeled with Petri 
nets. 

Model Checking Problem: Given a CPN S, and an LTL formula p, does 
seq^fx) 1 = T hold for every execution fx of S. 

Fair Model Checking Problem: Given a FCPN Ep and an LTL formula ip, 
does seqp{fp) ^ ip hold for every fair execution fp of Ep. 



3.3 Model Checking 



The automata theoretic approach to model checking utilizes the close relation- 
ship between LTL and automata on infinite words. Several procedures [l!Sf4|5f32] 
have been suggested which construct a LGBA that recognizes all the models of 
a given LTL formula. Most model checking procedures are designed for ordinary 
Biichi automata but in our case this is not a problem as they are a special case 
of the LGBA. 



Given a LTL property p and a corresponding Biichi automaton, model check- 
ing a system is now possible by interpreting the Kripke structure as a Biichi 
automaton. This Biichi automaton represents all the possible executions of the 
system. If this system automaton is intersected with the property automaton, 
the result is an automaton which accepts all executions which are common to 
the two automata. Intersecting the system automaton with an automaton cor- 
responding to the negation of the property yields an automaton which has no 
accepting executions if and only if the system is a model of the LTL property. 

Hence, the steps performed to verify that a system has a property given by 
a LTL formula p and solve the model checking problem are the following pin|: 



1 . Gonstruct a generalized Biichi automaton corresponding to the negation 
of the property p. 
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2. Generate the Kripke structure of the system and interpret it as a LGBA /C, 
with T 

3. Form the product automaton B = A^ip x K. 

4. Gheck if £(B) = 0. 

If C{B) = 0 the model of the system has the desired property. Gombining sev- 
eral of these steps into a single algorithm and performing them in an interleaving 
manner is referred to as “on-the-fly” model checking piTz] , Naturally the pro- 
cedure can also be done with a simple Biichi automaton, if the property LGBA 
is further expanded to a simple Biichi automaton. 



proc Check {f ormula ip, System K) = 

LGBA-Automaton A ~ to-automaton Step 1. 

LGBA-Automaton B := product (A, K); Step 2. 

Streett- Automaton S\ 

Gomponent msec, 

forall msec G MSCC (B) do Step 3. 

if (-<modelcheck (msec)) then ; Step 4. 

continue; 

fi 

if (hasW F (msec)) AND 

-iwf-modelcheck (msec)) then Step 5. 



continue; 

R 

S = ToStreett (msec); 
if (hasSF(mscc) AND 

^sf-modelcheck (S)) then Step 6. 

continue; 

fl 

counterexample(S); Step 7. 

return true; 
od 

return false; 



Fig. 2. The fair model checking procedure 



The afore mentioned procedure is not appropriate for model checking a FKS, 
from an efficiency point of view, and thus solving the fair model checking prob- 
lem. What is needed is a procedure which can handle both generalized Biichi 
acceptance sets and Streett acceptance sets. Of course, the procedure should also 
avoid using the more time consuming (see e.g. 1241 i Streett emptiness checking 
procedure if possible. 

To solve the fair model checking problem the new procedure for high-level 
Petri Nets, shown in Figure 0 does the following. 
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1. Constructs a generalized Biichi automaton A^^p. 

2. The Kripke structure of the FCPN model is constructed, interpreted as a 
LGBA with J- = and simultaneously the product with is computed. 

3. Tarjan’s algorithm is used to compute a maximal strongly connected compo- 
nent (MSCC) of the product. In graph theoretic terms a MSCC is a maximal 
subset of vertices C of a directed graph, such that for all vi,V2 G C, the ver- 
tex vi is reachable from V2 and vice versa. The set is maximal in the sense 
that if any state is added to this set, it ceases to be a SCC. 

4. When a MSCC of the product automaton has been calculated, we check 
for generalized Biichi acceptance, i.e. whether there is any execution which 
violates the given property. There cannot exist a fair counterexample if there 
is no failing execution. Hence, if the component does not contain a state from 
each Biichi acceptance set (LGBA acceptance condition), we return to step 3. 

5. If a component is accepted, the component is checked if it is weakly fair. This 
can be done without generating any intermediate states, which is of course 
desirable. The memberships of the fairness sets are assigned in the following 
manner. Let the MSCC be denoted by C. For a state s = (M, P), where M is 
the corresponding marking in the Kripke structure and P the corresponding 
state in the formula automaton. Then, for all s S C, s is member of Fi if: 

— Vt(6) G en{M) : wfi{t){b) = false, or 

— 3t{b) G en{M),s' G S : wfi{t){b) = true and (s, s') G A,M M',s' = 
such that s' G C. 

See Theorem 121 why this works. If the component is accepted, i.e. it contains 
all weak fairness sets, and has no strong fairness constraints, the interme- 
diate states are added according to the definition of a FKS. However, the 
generalized Biichi sets are interpreted as Streett acceptance sets Ui with each 
Li set initialized to the universal set. The intermediate states are needed for 
the correctness of the counterexample. The counterexample algorithm must 
be able to identify fair transitions instances which can occur infinitely often. 
Now we can generate a counterexample at step 7. 

6. We now know that the MSCC contains a weakly fair counterexample. To 
ensure that there is also a counterexample which is both strongly and weakly 
fair, we will use a Streett emptiness checking algorithm on this MSCC. (Using 
the Streett emptiness checking to handle strong fairness constraints goes back 
to at least [til21)j .l However, we cannot yet ignore the property sets and the 
weak fairness sets. Therefore the weak fairness sets are computed according 
to the definition of the FKS and both the property sets and the weak fairness 
sets are again simulated with Streett acceptance sets, using the technique 
given in step 5. Before the component is given to the Streett emptiness 
algorithm, also the strong fairness sets Li and Ui must be computed. These 
are also computed according to the definition of a FKS. The correctness 
of this step is proven in Theorem 0 We simulate the FKS with a Streett 
automaton and if no weakly and strongly fair counterexample is found, we 
continue from step 3 with the next MSCC of the product automaton. 
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7. A counterexample is generated using the subset of vertices of the MSCC (the 
Streett emptiness algorithm possibly deletes some states and edges), which 
the emptiness checking algorithm gives to the counterexample algorithm. 

Theorem 2. Let C he a MSCC of the produet automaton. The eomponent eon- 
tains a weakly fair counterexample if and only if the component interpreted as 
an automaton A, using the set assignments done in step 5, is non-empty. 

Proof. If C contains a counterexample which is weakly fair, then by step 3 of the 
procedure, the sets representing the property must be present in the automata. 
For all weak fairness functions there are transition instances in such a way that 
the implicit set generated by the fairness function is infinitely often disabled or 
can occur infinitely often. A state in A belongs to a weak fairness set, i.e. an 
acceptance set of the automaton, if no transition of the set is enabled in the state 
or a transition of the set occurs and the resulting state is also in the component. 
The first condition handles cases where the weakly fair transition instances never 
are enabled while the second condition handles the cases where the transition 
instances occur infinitely often. Thus all weak fairness sets are present if there 
is a weakly fair counterexample, and thus A is non-empty. 

If A is non-empty, we know from step 3 of the procedure that the component 
contains a counterexample. Any execution respecting the acceptance sets of the 
property is a counterexample. As all sets are present in the component, and 
all states are reachable from each other, there must exist an execution which 
goes through both the property sets and weak fairness sets (a trivial example 
is an execution which visits all states of the component infinitely often). This 
execution is a weakly fair counterexample. 



Theorem 3. Let C he a MSCC of the product automaton. The component con- 
tains a strongly fair counterexample if and only if the Streett automaton A result- 
ing from transforming C according to the definition of a FKS and simulating the 
property and weak fairness set with the Streett sets ( consider the CPN marking 
of each product state only, ignoring the product automaton state) is non-empty. 

Proof. If C contains a counterexample which is weakly and strongly fair, then 
by step 3 of the procedure the property sets must be present in A, as they are 
simulated by some Streett sets. From Theorem Q we know that the acceptance 
sets simulating the weak fairness sets will also be present as the counterexample 
is weakly fair. As the counterexample is also strongly fair for each strong fairness 
function there are transition instances, such that if the instances are infinitely 
often enabled, some instances occur infinitely often. In A each state which has a 
transition instance enabled that makes a strong fairness function true, belongs to 
the corresponding L set, thus marking all possible states where some strongly fair 
transition instances defined by a fairness function are enabled. An intermediate 
state is generated which will belong to the corresponding U set, which will be 
belong to the MSCC if the occurrence of the transition instance results in a state 
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which is in the component. Thus the U set marks all the states making it possible 
for transition instances defined by a fairness function to occur. Remembering 
that the Streett acceptance condition is similar to the strong fairness constraint, 
clearly the Streett acceptance will be satisfied if a strongly fair execution is 
present in the component. Thus the component is non-empty. 

Let A be non-empty. Any execution respecting the property sets will be a 
counterexample. We know from Theorem ^ that any execution respecting the 
FKS fairness sets must be both strongly and weakly fair. The simulation of 
the generalized Biichi sets (the property and the weak fairness sets) is done by 
setting Li = S and Ui = Fi. As each Li is guaranteed to be present, each Ut 
must be satisfied which corresponds to the LGBA acceptance condition that 
each Fi must be satisfied. Since the component respects the fairness sets it is 
possible to construct an execution which respects the fairness sets (otherwise 
the component would be empty). Hence the component contains a weakly and 
strongly fair counterexample. 



Corollary 1. The procedure solves the fair model checking problem. 

The procedure tries to avoid the cost of the more expensive Streett empti- 
ness check, whenever possible, by always first testing for weak fairness and only 
invoking the Streett check if there are strong fairness constraints enabled. This 
might result in faster running times compared to always performing the check. 
Also by performing the verification in an on-the-fiy manner, checking one MSCC 
at a time, the cost of computing all MSCCs of the product automaton might be 
avoided. 

There are several other algorithms for automata theoretic model checking 
LTL which have been presented in the literature. The nested-depth-first-search 
algorithm of |3I was designed for (non-generalized) Biichi automata. The algo- 
rithm of m is similar in the sense it uses both Biichi and Streett acceptance 
conditions, however their emptiness checking procedure is BDD based, making it 
unsuitable for the explicit state tool this procedure was designed for. The transi- 
tive closure and fixpoint computations the algorithm requires makes it an unwise 
choice in an explicit state setting. The same argument applies to the algorithm 
of ^D|. An algorithm tailored to handle only generalized Biichi acceptance sets 
was presented in 0 , but due to some optimizations it makes it could not be used 
here. It is, however, somewhat similar to the procedure presented in this work, 
as it also is a Tarjan based on-the-fiy algorithm. 

4 Implementation 

The model checking procedure described in this work has been implemented in 
the MARIA analyzer m- The MARIA analyzer is a reachability analyzer for 
algebraic system nets 11 ,»11 filial and it has been developed at the Laboratory for 
Theoretical Computer Science at Helsinki University of Technology. 
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4.1 The MARIA Analyzer 

The MARIA analyzer, is a reachability analyzer for Algebraic System Nets. The 
intention is to develop an analyzer with model checking capabilities for a formal- 
ism which is powerful enough to model in a straightforward manner high-level 
programming languages. By using language specific front ends, the idea is that 
MARIA can function as the analysis tool for several formalisms. Currently a 
front end for SDL [Q is under development. 

The net class of MARIA is based on an algebra with powerful built-in data 
types and expressions. MARIA supports leaf types (bool, char, enum, int, un- 
signed) familiar from high-level programming languages and also complex struc- 
tured types such as structs, arrays and bounded queues. There are built-in op- 
erations for multi-set operations, multi-set sums, etc. 

4.2 Implementation 

The implementation was programmed in C-|— 1-, like the rest of the analyzer. The 
emptiness checking algorithm for Streett automata and counterexample genera- 
tion follows the algorithms described in Some optimizations were however 
performed. Management of the arcs of the product automaton was carefully de- 
signed, so that only during the Streett emptiness checking phase were the arcs 
kept in main memory. The Streett emptiness check was also modified so that not 
all intermediate states were added to the FKS. Only transition instances related 
to a strong fairness constraint and some instances related to a weak fairness 
constraint caused an intermediate state to be added. Specifically the transition 
instances which belonged to a weak fairness set and could occur so that the 
resulting state was still in the current MSCC, caused an intermediate state to 
be generated. An external implementation m of the algorithm presented in jSj 
was used as the translator from an LTL formula to a LGBA. 

5 Verifying a Sliding Window Protocol 

The sliding window protocol provides reliable transmission over an unreliable 
communication medium. It is used in several data link control (DLC) protocols 
and it is serves as a basis for reliable transport in many protocols. 

Several papers have been written on the verification of the protocol. Recent 
works which focus on automatic verification of the protocol include PSEEH. 
In [1 .'Ij Kaivola combines a compositional approach with property preserving 
preorders and equivalences to verify both safety and liveness properties for ar- 
bitrary channel lengths. Results up to a window size of seven is presented with 
bounded buffer sizes. Using Queue BDDs Godefroid and Long js| verify a full 
duplex version of the protocol with queue sizes up to eleven. Smith and Klar- 
lund m use a theorem proving tool to verify safety properties of the protocol 
for unbounded buffer sizes, window sizes and channel capacities. They also verify 
safety properties with a fixed window size as large as 256. 
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5.1 Protocol Description 

The specific version of the protocol on which we focus here is a unidirectional 
version due to m The sliding window protocol consists of four main com- 
ponents. These are the sender, the receiver, the transmission channel and the 
acknowledgment channel. The structure of the protocol can be seen in Figure El 
Additionally we assume there is a data source which generates messages to be 
sent and a target which receives them. The protocol has the following important 
parameters: 

— tw The size of the transmission window. This specifies the maximum amount 
of messages which the sender can send without receiving an acknowledgment. 

— rw The size of the receive window. This specifies the maximum amount 
of messages which the receiver can receive without forwarding them to the 
target. 

— w The maximum value of the sequence numbers. 

Only when tw + rw < rc -I- 1 holds will the protocol function properly m 
The abstraction made in the following description follow Kaivola jI3]. The 
sender side of the protocol functions in the following way. It receives data to be 
sent from the data source. It can then choose to send the message containing the 
data and a sequence number or receive more messages to be sent. The sender 
can send tw messages without receiving an acknowledgment. If no acknowledg- 
ment is received the sender can timeout and resend the messages. Following the 
timeout model of Kaivola, a timeout can occur only if no further messages can 
be sent to the transmission channel. When a valid acknowledgment is received 
the transmission buffer is emptied up till the last acknowledged message and the 
sender can receive new messages from the data source. 

The receiver side of the protocol functions in the following way. When the 
receiver receives a message it is stored and marked as unacknowledged, if the 
sequence number of the message is in the reception window. Then the protocol 
proceeds to forward the messages to the data target and empties the receive 




Fig. 3. The main components of the protocol. 
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buffer. The sequence number of the last message sent to the target is sent as an 
acknowledgment to the sender. 

All channels in the protocol are modeled as queues with a fifo discipline, 
which can loose any message. 



5.2 Properties 

The aim of this small case study was to test the performance of the MARIA 
model checker. Hence, liveness properties are of special interest as they in many 
cases require fairness assumptions. 

The liveness property required is that as many items should be delivered to 
the data target as are read from the data source. If the system is connected to 
a data source which generates the w-regular language (see e.g. ^1]) 0“ U 0* • 1, 
using data-independence I58I27I and properties of w-regular languages Kaivola 
argues that it is then enough to verify the property: 

LIVE Either infinitely many 0:s are delivered to the target or 1 is delivered. 
The property can be expressed in LTL in the following way: 

□ 0( receive (0)) V 0(receive(l)), 

where receive (i) denotes an atomic proposition indicating that the receiver has 
received a message with the data i. However, the property does not hold uncon- 
ditionally. A fairness constraint is needed for the channels. The following fairness 
constraint is used: 

FAIR For all sequence numbers i G {0, . . . , iv}, if a message with the sequence 
number i is sent to the receiver infinitely often, it receives a message with 
the sequence number i infinitely often. The same constraint applies for the 
acknowledgment channel. 



5.3 The MARIA Model 

Modeling the protocol in the MARIA Petri Net class is quite straightforward. 
Using the queue and array types of MARIA, it is easy to model the channels as 
queues and the internal data buffers of the sender and the receiver as arrays. 
The complete model consists of 12 places and 9 high-level transitions. Two places 
are used to make it possible to express the liveness property LIVE in LTL. The 
fairness constraints on the channels are easy to express by putting strong fairness 
constraints, tied to the sequence number of the message, on the channels which 
handle the receiving of data and acknowledgments respectively. Hence there is a 
fairness set for each channel for each sequence number. A weak fairness constraint 
is needed on the receiver side to guarantee progress in the sequential parts. To 
obtain the complete model see http://www.tcs.hut.fi/~timo/pn2001. 
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Fig. 4. Statistics for the model checking. 



5.4 Results 

The new procedure was tested by model checking the liveness property LIVE for 
different window sizes with the fairness constraint FAIR. The parameters were 
chosen such that rw = tw and the capacity of the queues modeling the channels 
were w. To yet decrease the possible values for the parameters the value of w 
was fixed such that w = tw + rw — 1. 

All tests were performed on a PC with a 1 GHz AMD Athlon processor and 
512 MB of RAM. The system was running the Debian GNU/Linux distribution, 
version 2.2. Times were measured using the UNIX command “time” and the 
user plus system time was recorded. In the table of Figure 0 the results can 
be seen. The “states” and the “arcs” column indicate the number of nodes and 
the number of arcs respectively in the reachability graph. The |product| column 
gives the number of states in the product. The same protocol was also modeled 
using the Spin m model checker. However, because the automata translator 
of Spin could not translate the fairness constraints to an automaton for w > 1, 
due to memory exhaustion, a comparison was not deemed fair and hence omit- 
ted. Actually, no algorithm available to the author could translate the fairness 
constraints, for the window sizes presented here, on the hardware used. As can 
be seen from the results the MARIA model checker can due to the efficient han- 
dling of the fairness constraints cope with quite large window sizes. It should be 
noted that no reduction methods were used on the state space. Using reduction 
methods could probably enable model checking of larger window sizes. 

6 Conclusions 

In this work LTL model checking for high-level Petri nets has been extended with 
nets, which have fairness constraints on the transitions. For P/T Nets a similar 
construction was presented, but not implemented, in |19j . The semantics for the 
fairness constraints is given by an execution based semantics and a fair Kripke 
structure. Using Streett automata the model checking procedure is extended to 
handle the fairness constraints in an efficient manner. 

The procedure has been implemented in the MARIA analyzer. Using a model 
of a unidirectional sliding window protocol, the implementation was tested. Re- 
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suits indicate that the procedure seems to scale well, even when there are many 
strong fairness constraints present. The protocol could not have been verified for 
so large window sizes, had the fairness constraints been part of the property to 
be verified, instead of being part of the model. 

There are still some open questions concerning the new LTL model checking 
procedure. It is clear that not all intermediate states have to be added when 
model checking. It should be possible to formulate a better sufficient condition, 
which could be statically checked, for transitions in the model which need the 
intermediate states to be generated. This could reduce the number of interme- 
diate states needed in the procedure. It also could be interesting to generalize 
this method to encompass the full branching time logic CTL*. As CTL* model 
checking can be reduced to several calls to a LTL model checker 0 this should be 
possible. Another interesting question is what kind of effect would the procedure 
have on partial order methods, such as the stubborn set method m- 
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Abstract. State space analysis is a popular formal reasoning technique. 
However, it is subject to the crippling problem of state space explosion, 
where its application to real world models leads to unmanageably large 
state spaces. In this paper we present algorithms which attempt to al- 
leviate the state space explosion problem by taking advantage of the 
common practice of incremental development, i.e. where the designer 
starts with an abstract model of the system and progressively refines it. 
The performance of the incremental algorithm is compared to that of the 
standard algorithm for some case studies, and situations under which the 
performance improvement can be expected are identified. 



1 Introduction 

A major advantage of formal methods is that they allow for formal reasoning. 
State-based formal reasoning techniques commonly involve examining every pos- 
sible state of a system. Such techniques are automatic, can be applied by less 
trained personnel, and can be used for analysis and error detection as well as 
verification. For these reasons they are seen as one of the most promising formal 
reasoning techniques HD]. 

Unfortunately the number of states of a system increases exponentially as the 
complexity of the system increases. This means that the total number of states 
is often far too large with respect to time and/or space resources to be fully 
generated. This growth of the state space is referred to as state space explosion, 
and is the primary obstacle to the practical application of state-based formal 
reasoning techniques. 

Most state space methods investigate the reachable states by constructing a 
Reachability Graph (also known as an Occurrence Graph P]). In its most basic 
form a reachability graph is a directed graph consisting of all the states the 
system can reach from its given initial state. Each vertex of the graph represents 
a state of the system being analysed, and each directed edge is labelled with the 
action that leads to the next state (that is, the next vertex of the graph). A basic 
reachability graph represents an interleaving semantics of a system. That is, it 
does not model the possibility of two or more actions occurring simultaneously. 
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State space explosion does not preclude the use of state space analysis in 
practice, since the great advantages of these methods have motivated many 
researchers to try to find ways of alleviating the problem mg. Two popular 
approaches are Symmetric Occurrence Graphs and Stubborn Sets HD). Sym- 
metric occurrence graphs identify sets of symmetric states and store only one 
representative from each set. Thus, large sections of the state space are omitted, 
at the cost of additional computation to determine which states are symmetric. 
Another benefit is that the full state space can be recovered. Stubborn sets, 
on the other hand, reduce the size of the state space by eliminating a number 
of interleavings of independent processes. Here, the full state space cannot be 
recovered, but it is guaranteed that the desirable properties are not affected by 
the reduction in the state space. 

A recent technique by Christensen and Petrucci ^ exploits the modular 
structure present in many formal specifications to minimise the representation 
of the interleaving of independent actions and therefore to help alleviate the 
state space explosion. The current paper has certain points of contact with the 
approach of Christensen and Petrucci, in attempting to alleviate state space 
explosion by utilising the incremental structure found in many Coloured Petri 
Net (CPN) models. This structure arises because designers commonly develop 
their models incrementally — they start with an abstract model of the system 
(and possibly verify certain properties of the abstraction) and then progressively 
refine that model till sufficient detail is included. 

This paper is organised as follows: through the use of a simple example Sec- 
tion |2| informally introduces three forms of incremental change that have previ- 
ously been identified as suitable for use in practice; Section 0 presents algorithms 
that take advantage of each of the forms of incremental change; Section 0 re- 
ports on the implementation of the incremental algorithm; Section 0 examines 
the performance of the incremental algorithm for some case studies and identi- 
fies the situations under which performance improvements are maximised; and 
finally conclusions and areas for further work are given in Section El We assume 
the reader has a working knowledge of CPNs, as in P). 

2 Incremental Development of Coloured Petri Nets 



Incremental change is fundamental to the way people solve complex problems. 
They tend to first develop a solution to a simpler problem, and then incremen- 
tally add detail to change this solution to address the problem at hand. 

In the context of Coloured Petri Nets 0, three forms of incremental change 
or refinement have been identified as being commonly applicable in practice jSl 
0 . They have been termed type refinement, subnet refinement, and node refine- 
ment. These are all special cases of so-called system morphisms, i.e. morphisms 
(or mappings) (f : N ^ N', from a refined net, N, to an abstract net, N' , which 
maintain behavioural compatibility. This means that every (complete) action 
sequence of the refined system corresponds to an action sequence of the abstract 
system, and every reachable state of the refined system (following a complete 
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(a) 



(b) 



Fig. 1. A simple net (a) and its reachability graph (b) 



action sequence) corresponds to a state of the abstract system. This correspon- 
dence is achieved by either ignoring the refined action or state components, or 
projecting them onto abstract components | 5 |. 

Using the net of Figure ^ (a) as an example, we now informally present type, 
subnet and node refinement. (A formal presentation can be found in |^.) In this 
net, place p\ initially holds a token x, while place p 4 initially holds a token y. 
If transition t\ fires with mode x, it results in transferring a token x from place 
Pi to p 2 - The subsequent firing of transition t 2 with mode (x,y) would result in 
token X being consumed from place p 2 and token y from place pi, with tokens x 
and y being deposited in place ps. 

The first and simplest form of refinement, type refinement, involves incorpo- 
rating additional information in the tokens and firing modes, while keeping the 
net structure unchanged. Each value of the refined type can be projected onto a 
value of the abstract type. For example it may be desirable to introduce further 
information into the type X of Figure ^ (a). This will simply involve extending 
the type X, to say X = {(x, 1)}, extending the corresponding transition firing 
modes, and changing the initial marking so that the place pi contains the token 
{x, 1). In this refined version of the system, it is certainly the case that if there 
is a behaviour of the refined system, then there is a corresponding behaviour of 
the abstract system. 

The second form of refinement, subnet refinement, involves augmenting a 
subnet with additional places, transitions, and arcs. We can use subnet refine- 
ment on the net of Figured (a) to give the net of Figured where places pq and 
Pr and transition t^ have been added. As with type refinement, constraints on 
subnet refinement ensure that for each behaviour of the refined system there is a 
corresponding behaviour of the abstract system (but not necessarily vice versa) . 

The third form of refinement, node refinement, is to replace a place (tran- 
sition) by a place (transition) bordered subnet. Canonical forms of such refine- 
ments are as mandated in d • The place p 2 and transition t^ of the net of Figured 
(a) might be refined as shown in Figured The refined place has one input border 
place called p2~inpl and one output border place called p2~outl. The p2-accept 
and p2~offer transitions, together with the internal place P2~buf constitute the 
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Declarations: 

X = {x) 

Y = {y) 

Z = {z) 



Fig. 2. The net of Figure Q(a) refined using subnet refinement 




Fig. 3. The net of Figure 0(a) refined using node rehnement 

basis of the canonical place refinement. It guarantees that tokens are preserved. 
Further activity is achieved by the subnet refinement which extends transition 
P2~accept. The transitions t^-start, t^-finish, t^-switch, and the places t^-recd, 
t^-send, constitute the basis of the canonical transition refinement. This guaran- 
tees that the border transitions (t^-start and ts-finish) will fire with matching 
modes. Again, a behaviour of the refined system will have a corresponding ab- 
stract behaviour, though the reverse will not necessarily be the case. 

Even though the above three forms of refinement can be identified and anal- 
ysed in isolation, they will commonly be used in combination in practical appli- 
cations. 



3 Incremental State Space Algorithms 

In this section we present reachability graph algorithms that take advantage of 
type, subnet and node refinement. These can be combined into a single algorithm 
that takes advantage of a mixture of type, subnet, and node refinement, but we 
do not do so due to space constraints. 

Coloured Petri Nets are defined in the context of a universe of non-empty 
colour sets E, the functions over S given by = {X Y \ X,Y G X}, the 
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multisets over a colour set X given by /iX = {X —>■ N}, and the sequences over 
a colour set X given by aX = {x\X 2 . . . Xn \ Xi € X}. 

Definition 1. A Coloured Petri Net N is a tuple 
N = (P, T, A, C, E, M, Y, Mo) where: 

a. P is a set of places 

b. P is a set of transitions, s.t. P DT = 0 

c. A is a set of arcs, s.t. A C (P x P) U (T x P) 

d. C : PUT ^ X determines the colours of places and (modes) of transitions 

e. E : <PE gives the arc inscriptions, s.t. E{p,t), E(t,p) : C{t) — >• pC{p) 

f. M = p{{p, c) \ p G P, c £ C{p)} is the set of markings 

g. Y = p{{t, c) \ t G T, c G C{t)} is the set of steps 

h. Mq is the initial marking, Mq G M 

Note that there is at most one arc in each direction for any (place,transition) pair 
and that the effect of an arc is given by the arc inscription in conjunction with 
a particular transition firing mode. We refer to a (place, colour) pair as a token 
element, and a (transition, colour) pair as a firing element. We denote the set of 
all firing elements by FE, i.e. FE = {(<, c) \ t G T,c G C{t)}. The markings of 
N are multisets of token elements, and the steps are multisets of firing elements. 
While markings and steps are derivative quantities, they are included in the 
definition so that it is clear that system morphisms : N ^ N' map markings 
and steps to markings and steps respectively. 

The above definition is, to all intents and purposes, equivalent to the common 
definition |3|. It does not include a guard function defined on transitions, but the 
same effect is achieved by limiting the colour set associated with the transition. 

Having defined the structure of CPNs, we are now ready to consider their 
behaviour. 

Definition 2. The ineremental effects P+, E~ : Y — M of the occurrence of a 
step Y are given by: 

a.E~{Y)= E {p} X E{p,t){m) 

{t,m)GY {p,t)eA 

h.E+{Y)= E {p} E{t,p){m) 

(t,m)eY {t,p)eA 

The enabling and firing of steps and sequences is defined in the usual manner: 

Definition 3. For a net CPN, N, a step Y S Y is enabled in marking M G M, 
written M\Y), if M > E~(Y). If a step Y G Y of CPN N is enabled in marking 
Ml G M, it may fire leading to marking M 2 G M, written M\\Y)M 2 with 
M 2 = Ml — E~{Y) + P+(Y). The set of reachable markings M/j C M is given 
by Mfl = {M G M I 3 Y* G crY : Mq[Y*)M}. 

The standard way to represent the state space of a system is using a directed 
graph called a reachability graph (as introduced in Section P). A reachability 
graph has a vertex (node) for every reachable state or marking of the system, 
and a directed edge (arc) for every possible step that occurs (here with a single 
firing element). As in we allow multiple edges between pairs of vertices. 
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Definition 4. The reachability graph of a net N = (P, T, A, C, E, M, Y, Mq) is 
the directed graph G = (V, £, /) where: 



V = Mfl, the set of vertices, each of which is a reachable marking 
£ = I (Ml, (f, c),M 2 ) G V X Y X V Mi[(f, c))M 2 |, the set of edges, each of 
which identifies an enabled firing element 

Ve = (Ml, (t, c), M 2 ) G £ : /(e) = {Mi, M 2 ), the end points of each edge 



The reachability graph of the net of Figure Q (a) is shown in Figure G1 (b) 
(where the key indicates how the marking of each place contributes to a marking 
of the net). This reachability graph is built using the standard reachability graph 
algorithm for CPNs given in Algorithm Q] This is based on that of Jensen Up- 
5] , and differs from it only to simplify the subsequent development of incremen- 
tal versions. The algorithm determines the reachability graph G for the net N 
starting from the initial marking Mq. Waiting is the set of reachable markings 
whose successors have not yet been examined. It is therefore initialised to {Mg}. 
The algorithm repeatedly examines a marking in Waiting, adds edges and asso- 
ciated vertices to the graph for all the immediate successor states. This process 
continues till all reachable states have been examined. 

Functions are defined for building the graph — ADdVertex(G, M) adds a 
vertex representing the marking M to the graph G, ADdEdge(G, (M, {t, c), Mi)) 
adds an edge from M to Mi labelled by {t, c) to G. The function 
select) Waiting) returns a marking from the Waiting set. We do not indicate 
how the selection of this state is performed. The nature of this selection will de- 
termine whether the graph is constructed in a breadth-first manner, depth-first 
manner, or some other order. 

The variable, possible, is a set of candidate transitions to be examined. We 
do not indicate how this set is calculated. In the worst case, it would be the set 
of all transitions. In the best case, it would be the set of transitions enabled at 
M. Unfortunately, there is no known heuristic to efficiently determine exactly 
those transitions which are enabled. Therefore possible will include all enabled 
transitions plus possibly some which are not enabled at M. The fewer disabled 
transitions included in the set, the better the performance of the algorithm. The 
function edgesFrom{N, M, possible) returns the set of edges that result from 
the occurrence of a transition in the set possible at marking M, namely: 



|(Mi,(t, c),M2)} {t G possible) A Mi[(t, c))M2|. 



The edgesFrom function therefore must determine which firing elements are 
enabled. This can be a bottleneck in the performance of the reachability graph 
algorithm. The function matgh(G,M) returns true if and only if M matches 
any vertex in G. We do not indicate how matching of markings is performed. 
It could be something trivial like an equality test, or possibly something more 
subtle such as allowing for symmetry 0 . 

Pseudo code for the edgesFrom function is also presented. The function 
enabledFiringElements(A^, M, t) returns the set of firing elements involving t 
enabled at marking M. enabledFiringElements could be implemented using 
the transition instance analysis algorithm of Maria |5I0| . The algorithm is rather 
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Algorithm 1 Standard Reachability Graph Algorithm 

reachabilityGraph(G, N, Mo) 

begin 

addVertex(G, Mo) 

Waiting ~ {Mo} 
while Waiting 7^ 0 do 
Ml := smsEGT {W aiting) 

for all (Ml, (t, c), M2) € edgesFrom(A, Mi,possrfo/e) do 
if not match(G, M2) then 
addVertex(G, M2) 

Waiting := Waiting + {M2} 

end if 

addEdge(G, (Ml, (t, c), M2)) 

end for 

Waiting ~ Waiting — {Mi} 

end while 
end 

edgesFrom(A, M, possible) 
begin 

Result := 0 

for all t £ possible do 

for all {t, c) £ enabledFiringElements(A, M, t) do 
Ml ■- M - E-{{t,c)) + E+{{t,c)) 

Result ~ Result + {(M, {t, c), Mi)} 

end for 
end for 
return Result 
end 



complicated, but the basic idea is to bind tokens in the input places, one at a 
time, to the variables on the input arcs of the transition being analysed. 



3.1 Catering for Type Refinement 

Given a net that has been derived from an abstract net by the type refinement, we 
can use the reachability graph of the abstract net to help produce the reachability 
graph of the refined net. We refer to reachability graphs, markings and firing 
elements as either abstract or refined. 

In the previous section, we noted that a time consuming task in reacha- 
bility graph generation is determining which firing elements are enabled for a 
given marking. Recall that a system morphism, (f> : N ^ N' , maps refined net 
components to abstract net components. For type refinement, the refined firing 
elements enabled at M project onto abstract firing elements enabled at 4>{M) 
0. Therefore the determination of refined firing elements which are enabled at 
marking M can be constrained by the knowledge of the abstract firing elements 
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enabled at marking which is already known from the abstract reachabil- 

ity graph. Further, if neither the transition t nor its neighbouring places have 
been modified by type refinement, then the enabled abstract and refined firing 
elements coincide, and the follower marking Mi can simply be determined by 
applying the changes to (j){M) to M. 

An algorithm which takes advantage of both type refinement and subnet 
refinement is presented in the following section. 

We illustrate the above approach using the net of Figured (a). Suppose that 
the type X = {x} in this net is refined to A = {(a;,!)} and that the initial 
marking is changed so that the place pi contains the token (x, 1). 

Given the marking Mq = (pi , (x, 1)) -I- (p 4 , y) of the type refined net, then the 
corresponding marking in the abstract net is <p{Mo) = (pi, x) -I- (p 4 , y). From the 
reachability graph of the abstract net, we know that the firing elements (ti,x), 
(t 3 ,y) are enabled at </>(Mo). Since the neighbouring places to ti have been type 
refined, we must check if firing elements involving ti are still enabled in the 
refined net. On the other hand the neighbouring places to have not changed, 
and so the enabled firing elements for in the refined net are exactly those which 
were enabled in the abstract net (i.e. (0,2/)). The successor of firing (0,2/) from 
in the abstract net is M[ = (pi,x) -I- {p 5 ,y). We can efficiently find the 
successor of Mq with firing element {ts, y) by applying the changes to Mq to Mq. 
Hence the successor of Mq by firing (0,2/) is Afi = (pi, (x, 1)) -I- (p5,p). 



3.2 Catering for Subnet Refinement 

As was the case with type refinement, if a net is refined using subnet refinement, 
we can use the reachability graph of the abstract net to help determine the firing 
elements that are enabled at a given refined marking and therefore reduce the 
time required to construct the reachability graph of the refined net. 

In the case of subnet refinement, the system morphism, (j) : N ^ TV', is a 
restriction of the net N. In other words, the components of N are either retained 
or ignored in N' . Thus, if a refined firing element of N is retained in N', then 
it can only be enabled if the corresponding abstract firing element is enabled at 
the corresponding marking, a fact which can be determined from the abstract 
reachability graph. If a refined firing element of N is ignored in N' , the abstract 
reachability graph does not help us and we must determine its enabling in the 
usual way. Thus, we again have that if an abstract transition t is unchanged in 
the refined net, then its enabled refined firing elements at marking M are exactly 
the enabled abstract firing elements at marking 4>{M). 

We illustrate the principle using the net of Figured (a), modified by subnet 
refinement, as in Figured Given the marking Mq = (pi, x) -I- (p 4 , y) + (pe, z), the 
corresponding abstract marking is = (pi,x) -I- (j>4,y), where the marking 

of newly added places is ignored. The abstract firing elements enabled at 4>{Mo) 
are (ti, x), and (fa, y). The transition ti has not been changed by the refinement, 
nor have its neighbouring places, and hence the refined firing element (ti,x) 
is enabled in the refined net. Further, the abstract successor can be used to 
efficiently determine the refined successor. In this case, the successor of the initial 
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Algorithm 2 edgesFrom modified to cater for type and subnet refinement 



edgesFrom-typeSubnet(A, N', M, possible) 
begin 

Result := 0 

for all {(j>{M),{t,c'),M[) G ABSTRACtEdgesFrom(A', </!>(possiMe)) do 

if not changed(A, A',t) then 
Ml := UPDATE(iV, N', M, Mi) 

Result ~ Result + {(M, (t, o'), Mi)} 
else 

for all (t,c) G FE \ (j){{t,c)) = (t,c') do 
if M > E~{{t,c)) then 

Ml ■- M - E~ {{t,c)) + E+ {{t,c)) 

Result -.= Result + {(M, (t, c), Mi)} 

end if 
end for 
end if 
end for 

for all (t,c) G FE \ (t G possible) A not MAPPED(t, <))) do 
if M > E~{{t,e)) then 

Ml ■- M - E-{{t,c)) + E+{{t,c)) 

Result ~ Result + {(M, {t, c), Mi)} 

end if 
end for 
end 



marking in the abstract net is M[ = (p 2 ,x) + {p 4 ,y). The changes to places p 2 
and P 3 must be applied to the initial marking of the refined net, namely Mq, 
giving Ml = {p 2 , x) + {p 4 , y) + (pe, z). 

On the other hand, the transition has been modified (it has an extra input 
arc), so firing elements involving must be examined to determine whether they 
are enabled in the refined net. It turns out that the firing element (fa, {y, z)) is 
enabled. Finally, there is a newly added transition, ^ 4 , which must be examined 
to find out if it has any enabled firing elements. 

Algorithm |21 takes advantage of type and subnet refinement to improve the 
performance of the reachability graph construction. The ABSTRACtEdgesFrom 
function returns all the edges from the abstract marking </>(M). That is, it re- 
turns all the enabled abstract firing elements at 4>{M) and the corresponding 
successor markings. We would usually expect the edges simply to be looked 
up in the reachability graph of the abstract net, but they could be calculated 
as required. The function CHANGEd(A, A', t) determines if the transition t or 
its neighbouring places have been modified by type or subnet refinement. The 
function update(A, N' , M, M[) determines the refined successor of M given the 
abstract successor, M{, of 4>{M). The function MAPPED(t, (()) returns true if the 
transition t is mapped to a transition in N' by the morphism (j) (rather than 
being ignored). 
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3.3 Catering for Node Refinement 

For a net with refined nodes, the state space is developed using a variant of 
modular analysis as proposed by Christensen and Petrucci PJ. Thus, the state 
space for each refined node is developed separately, since it is an independent 
subsystem apart from those points where it interacts with its environment. This 
leads to several reachability graphs which combine to represent the complete 
state space of the refined net [3|. We refer to the collection of graphs as the 
Refined-Node State Spaee (RNSS). Due to space constraints, we only present an 
informal explanation of the RNSS here. Formal definitions and the derivation of 
RNSS properties can be found in [Zj. 

The RNSS is composed of a loeal graph for each refined node, and a global 
graph. The local graph of a refined node only contains local information, namely 
the reachable markings of the (subnet of the) refined node and the associated 
enabled firing element^. 

The global graph is similar to the synchronisation graph of modular analy- 
sis P3, in that each vertex of the global graph refers to strongly connected com- 
ponents (SCCs)0 of the local graphs, rather than the individual markings. We 
call such vertices global vertices. As with modular analysis, this approach avoids 
much of the interleaving that would normally be present in the full reachability 
graph. The full reachability graph can be recovered from the RNSS. However, the 
various dynamic properties (reachability, dead markings, liveness, home prop- 
erties, etc.) can be determined directly from the RNSS 0. This is particularly 
important since the recovery of the full reachability graph may be computation- 
ally expensive. 

We explain the construction of the RNSS by considering the node refinement 
of Figured (a) as in Figured In the following, for an abstract node x” which is 
refined, we denote the local graph of x" by Gx", and the subnet of N by N^". We 
will also use the notation M\p to refer to the marking M restricted to the place 
p, and M\x" to refer to the marking M restricted to (the places occurring in) the 
subnet of the node x" plus the environment places (if x" is a transition). This 
notation is generalised to Mx, where A is a set of nodes (refined or otherwise). 

To construct the RNSS, we start with the global graph and add a vertex 
representing the initial marking, as shown in Figure d (a). It is worth noting 
that: 

— The global graph has the rather unusual property that it stores markings for 
refined transitions. Unlike simple transitions, refined transitions may retain 
some state information between firings. 

— To avoid cluttering the graphs, we have not included the labels on edges of 
local graphs. 

^ For technical reasons, the marking of the neighbouring places of a border transition 
of the refined transition are also included in its local reachability graph. 

^ Informally, a strongly connected component is a subset, S, of the nodes of a directed 
graph such that any node in S is reachable from any other node in S and S is not a 
subset of any larger such set. 
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Fig. 4. RNSS generation for the net of Figure 0 
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The next step in the RNSS generation involves adding successors from Mq 
to the global graph. If there is an unrefined transition which only takes input 
from unrefined places, then its enabling can be determined directly (or from the 
abstract reachability graph). This is the case with transition t\. Since it has 
output to a refined place (here P 2 ), we need to determine the relevant strongly 
connected component for the local graph. 

If there is a refined transition, then we consider its border terminal step 
sequences. Such a sequence involves only internal transitions of the refined tran- 
sition, and ends with the occurrence of an output border transition. This would 
be the case for an internal sequence of transitions of the refined transition 
that ends with the occurrence of tS-finished. The edge in the global reacha- 
bility graph simply indicates the sum of abstract firing modes for the refined 
transition (i.e. the sum of modes for the switch transition in the border terminal 
sequence), together with the local markings before and after the border terminal 
step sequence. 

Finally, if the transition under consideration in the global graph has input 
from refined places, then we consider successors which are possible following a 
sequence of internal transitions of those refined places. Naturally, the occurrence 
of those internal transitions is only recorded in the relevant local graph, but 
the edge in the global graph is labelled with the actual source and successor 
markings (and not just the relevant SCCs). In our example, this would be the 
case for the firing of transition t 2 , which is not enabled in Mq. 

In our example the result of adding immediate successors from Mq is shown 
in Figure 0(b). At this point, the transition ^2 is enabled. The above process 
of adding successors is repeated for each vertex of the global graph for which 
immediate successors have not been examined. The complete RNSS is shown in 
Figure 0 (c). 

If we compare the ordinary state space of the whole system, with the RNSS, 
we observe that even for this trivial example, the RNSS is smaller than the 
ordinary state space. The RNSS contains a total of 20 nodes and 21 edges, while 
the ordinary state space contains 38 nodes and 88 edges. 

The structure of the algorithm to develop the RNSS is the same as that of 
the basic reachability algorithm (Algorithm 0), modified with the changes given 
in Algorithm El Since the global graph stores global vertices then the Waiting 
set of Algorithm 0 will now store global vertices, and the function ADdVertex 
of Algorithm 0 will now add global vertices. 

As in Christensen and Petrucci 0, if S V, then we use v'^ to denote the 
strongly connected component to which v belongs, and to denote the global 
vertex corresponding to M. The function GLOBAlVertex(M) of Algorithm 0 
calculates the global vertex corresponding to M (i.e. it calculates M^). Firstly, 
this is initialised to M\ep, where EP is the set of external places, that is, places of 
the refined net that are not part of a refined node. The state space of each refined 
node is then developed from the current marking. REFiNEDNODES(iV') returns 
the set of places and transitions of the abstract net N' that are refined by node 
refinement; REACHABILITyGraph^(G, A^, M) calculates the reachability graph 
from M, where M may already appear in G; and COMPUTeSCCs(Gx", Af |a,//) 
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Algorithm 3 GLOBAlVertex, and modified edgesFrom, for node refinement 

globalVertex(M) 

begin 

;= M\ep 

for all x" € refinedNodes(A') do 
reachabilityGraph'^ (Gx" , N^n 
see := COMPUTESCCsfG'a;//, ML//) 

M<f ■- + (x",scc) 

end for 
return 
end 

edgesFrom-node( A, A', , possible) 

begin 

Result := 0 

for all t G ET n possible do 

for all Ml € internallyReachable(A, M*^, °t) do 
if Ml > E~{{t,c)) then 

Mz := Ml - E-{{t, c)) + E+{t, c)) 

Result ■— Result + {(M'^, (/, c), -^ 2 1 ( 04 ^ 1 °)). ^72*^)} 

end if 
end for 
end for 

for all t" e T" do 

for all Ml e internallyReachable(A, M*^, °t") do 

REACHABILITYCRAPHt (Gt//, At//, Mill//) 
for all (m,c) G BORDERTERMINAL(Gf//, Mi|t//) do 
Mz := Ml — Ml It// + m 

ResM?/ := Result + {(M^, (-^fi|(°t//ut"°ut")’ ^2|(°t//ut"°ut"))’ ■^ 2 ’^)} 

end for 
end for 
end for 
return Result 
end 



computes the SCCs of the vertices reachable from M\x" in the graph Gx", and 
returns the SCC index of the marking M\x" ■ Thus the marking M\x" is replaced 
by its SCC index to form . 

Since each refined node has an associated local graph, and since the local 
state space is developed from different starting points, then it follows that the 
local graph is not necessarily connected. Also, it may be the case that part or all 
of the local state space of a given refined node has previously been developed. 
This is clearly an advantage, saving time and space as the state space does not 
need to be developed again (as would be the case in the standard algorithm). We 
also note that the local graphs are independent, and the implementation could 
therefore develop them in parallel. 
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The edgesFrom function has also been changed as in Algorithm 0 to pro- 
duce the RNSS. It first considers those edges due to external transitions. (These 
are the transitions of the refined net that are not part of a refined node, and 
are denoted ET.) It then finds those edges due to refined transitions. We use 
°t to denote the set of abstract places that are refined by node refinement and 
are inputs of the transition t. Similarly t° denotes the set of abstract places that 
are refined by node refinement and are outputs of the transition t. The function 
iNTERNALLYREACHABLE(Ai, °t) returns the set of markings reachable from 
M, after internal activity of refined places in °t. This set includes the marking 
M. The source and successor markings stored with the edge of the global graph 
are the source and successor markings restricted to the refined places which are 
adjacent to the transition t. We note that the labelling of edges extends that of 
Algorithm n by incorporating the relevant local markings. 

Having considered the external transitions, the function edgesFrom con- 
siders the refined transitions. (We denote by T" the set of transitions of the 
abstract net which are refined by node refinement.) For each refined transition, 
we generate its local reachability graph, Gt" starting at marking M\t". We then 
consider the border terminal firing sequences in these local graphs. (The function 
borderTerminal(G'(", M|t") identifies these firing sequences and returns a set 
of tuples (m, c) where m is a marking reachable by a border terminal sequence, 
and c is the sum of abstract firing modes that are fired to reach m.) Recall that 
a border terminal firing sequence of a refined transition consists of only internal 
transitions of the refined transition, and ends with the occurrence of an output 
border transition. 

4 Implementing the Incremental Algorithm 

The Maria reachability analyser |H| is a relatively new tool building on the earlier 
work with PROD mi- Maria has a modular design, so that different algorithms, 
front-ends, and state storage mechanisms can easily be incorporated. This mod- 
ularity, together with its simple text-based input language made it an attractive 
choice for implementing the above incremental reachability algorithms. 

Maria has been modified so that the following methodology can be adopted 
for analysing incrementally developed models: the abstract and refined nets are 
parsed and the refinements are detected; the reachability graph of the abstract 
net is then developed (if it does not already exist) and the incremental algorithm 
is used to develop the state space of the refined net. Thus, the syntax of Maria was 
extended to support the specification of the various refinements; and the analyser 
of Maria was modified to support the incremental algorithms. Full details of these 
changes can be found in [Z]. 

Currently, the data structures of Maria do not provide optimum support 
for incremental analysis. For example, the function edgesFrom-typeSubnet 
from Algorithm |21 requires us to determine those refined firing elements which 
map to enabled abstract firing elements. In order to do this, we need to be 
able (within the context of markings) to map from refined token elements to 
abstract token elements and back again. While the former direction is easily 
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supported, the latter is not. Computing this information on the fly requires the 
same amount of effort as the transition instance analysis algorithm of Maria. 
Performance improvements can therefore be expected with special support for 
these mappings. This is a matter for further research. 

However, we are still able to gain some advantage in the implementation from 
the fact that the net has been refined by type and/or subnet refinement. First 
and foremost, we do not have to use the transition instance analysis algorithm on 
those transitions for which there is no corresponding enabled abstract transition. 
(This does not apply to transitions and/or firing modes which are introduced by 
subnet refinement.) Second, if the transition has not been changed then we do 
not have to check if it is enabled in the refined net and can obtain the refined 
successor marking by updating the abstract successor marking. 



5 Performance of the Incremental Algorithm 

In this section, we characterise the situations where the incremental algorithm 
can be expected to give a performance improvement over the standard algorithm, 
and also apply the algorithm to some case studies. The results quoted have been 
obtained using a 500MHz Intel 686 machine running Linux (kernel 2.2.15). The 
machine has 256MB random access memory (RAM) , and 2GB of virtual memory 
(which is the limit for this kernel). The code was compiled using the optimising 
option of the GNU Gompiler Gollection (version egcs-2.91.60). 

These tests use the reachability graph of the abstract net to determine the 
enabled abstract firing modes. We indicate the total time for the incremental 
algorithm, which consists of the time required to construct the abstract graph 
together with the time required to construct the refined graph using the incre- 
mental algorithm. In practice, however, we would normally expect the reachabil- 
ity graph for the abstract net to be constructed and analysed before the refined 
net is constructed, thus making the incremental algorithms even more attractive. 
As it is, even the total time for the incremental algorithm is, in some situations, 
less than the time required to construct the full reachability graph using the 
standard algorithm. 

One disadvantage of using the abstract graph to determine the enabled re- 
fined firing modes, is that both the abstract and refined graphs must be rep- 
resented in system memorjfl. This means that if the abstract graph is large 
then the performance of the incremental algorithm may not be as good. On the 
other hand, if the refined graph is much larger than the abstract graph, then the 
amount of extra memory used to store the abstract graph becomes insignificant. 

We note that the longer the standard algorithm takes to construct the refined 
graph relative to the abstract graph, then the greater the likelihood that the 
incremental algorithm will demonstrate improvements. 

One significant advantage gained by the incremental algorithm is that refined 
firing elements do not have to be considered if the corresponding abstract firing 
elements are disabled. Therefore we can expect good performance improvement 



^ Maria uses a hash table to represent the graph in system memory |H]. 
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for the incremental algorithm if there is a large number of refined firing ele- 
ments disabled for this reason. Such an example is shown in Figure 0 This net 
has an initialisation section which generates a number of tokens, and a process- 
ing section which consumes them. The initialisation has a lot of disabled firing 
modes, which do not need to be examined in the refinement. The graph plots 
the time taken for the refined graph using the standard algorithm, the time for 
the abstract graph (using the standard algorithm), and the total time for the 
incremental algorithm as the the value of n is increased in the abstract and re- 
fined net of Figure El (a) and (b) respectively (where only the changed part of 
the refined net has been shown). 





Value of n 



Fig. 5. The effect of increasing the number disabled firing elements 



Another significant advantage of the incremental algorithm is that it can save 
both time and space for a net with refined nodes, because it will not consider 
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all the possible interleavings of the internal activity of the refined nodes. As 
the extent of interleaving between internal and external transitions of the net 
increases, so too does the performance improvement of the incremental algorithm 
compared to that of the standard algorithm. We can demonstrate this using the 
net of Figure El The amount of internal activity is determined by the number of 
places in the sequence pi~pi to pi-pn- The graph shows the performance of the 
incremental algorithm compared to that of the standard algorithm as the level 
of internal activity is increased (i.e. as the number of places in this sequence is 
increased) . When the number of transitions in the sequence was greater than 12 
the standard algorithm could not complete due to insufficient virtual memory, 
whereas the incremental algorithm produced the complete RNSS in a little over 
a minute. 




I — ♦ — Time for refined graph using the standard algorittim 
— ■ — Time for RNSS (incremental algorithm) 




Fig. 6. The effect of increasing the number disabled firing elements 



Thus, it is not difficult to produce examples where the incremental algorithm 
can perform significantly better than the standard algorithm. We have also im- 
plemented two separate case studies to assess the performance of the incremental 
algorithm in practice: the Z39.50 Protocol for Information Interchange |S| and 
the Distributed Missile Simulator Model | 2 | . Both of these case studies have been 
developed incrementally. Our implementation of these studies together with a 
more detailed examination of the results obtained is given in 0. 

The Z39.50 Protocol model uses subnet refinement to introduce segmentation 
of responses — a capability added in the 1995 version of the protocol. With an 
initial marking typical of what we expect to be analysed, the standard algorithm 
takes 1 273 seconds whilst the time for the incremental algorithm is 676 seconds 
(plus 159 seconds to construct the abstract graph). We have observed similar 
results for other refinements of the Z39.50 protocol [Z|. 

The abstract model of the Distributed Missile Simulator is given in Figure 0 
The Outputs place and the Simulate transition of this abstract model are refined 
to capture more of the detail of the simulation algorithm. The refined Simulate 
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transition includes calculations for the target, infrared, radar, and missile control. 
Type refinement is also used to introduce values for the coordinate data, such as 
the position of the missile and target. We have implemented a modified version 
of the refined model in Maria (since Maria only supports integer arithmetic) . 

The distance to the target can be varied to achieve different numbers of 
iterations of the basic model. The graph of Figure Q shows the performance 
of the incremental algorithm compared to that of the standard algorithm for 
the refined model as the ^-coordinate of distance is increased (while the y and 
z coordinates remain unchanged). When the x-coordinate of distance between 
the missile and target was set to 600m, the incremental algorithm constructed 
a RNSS in a few minutes whereas the standard algorithm exhausted virtual 
memory and could not complete. 



r Start Slate 




Declarations: 

State = {STart, Update, Compare, Halt} 
Vel = {v} 

Pos = {p} 
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Fig. 7. The effect of increasing distance from the missile to the target 



6 Conclusions and Further Work 

In this paper we have presented algorithms for generating state spaces of systems 
exploiting their incremental structure. The incremental algorithms have been 
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shown to give significant improvements in situations where there are a large 
number of refined firing elements that map to disabled abstract elements, and 
where there is significant interleaving between the local transitions of refined 
nodes. These significant benefits have been observed for real world studies — in 
one case it was the difference between producing the state space in less than an 
hour, as opposed to the standard algorithm which could not complete. 

As we have noted, this approach has points of contact with the modular anal- 
ysis of Christensen and Petrucci PJ. Their modules are quite general, provided 
they are built with transition fusion. Place fusion is problematic since finite 
local reachability graphs can still result in infinite global reachability graphs, 
as tokens are passed backwards and forwards between the modules. Our mod- 
ules arise from node refinement, which imposes certain behavioural constraints. 
Thus, if a superplace is considered to be a module, joined to its environment 
by place fusion, then the environment cannot extract any tokens which it has 
not deposited or which were not present initially. Thus, the combination of such 
modules by place fusion ceases to be a problem. 

We have considered transition refinements with multiple input and output 
border transitions (the distributed input and output of Vogler [I^). We have 
shown that with distributed input, we can generate the full reachability graph 
by unfolding the RNSS. With distributed output, unfolding is possible if there 
is a guarantee that once the first output border transition has fired, then the 
step sequence can be guaranteed to complete without firing any further input 
border transitions. In this case, the unfolding results in a stubborn set reduction 
of the full reachability graph (Jj. This optimisation was applied to the Missile 
Simulator example quoted in Section]^ 

We have also shown that it is possible to determine properties of the net 
— reachability, dead markings, liveness, home properties, and boundedness — 
directly from the RNSS, without needing to unfold it [Zj. If one is prepared 
to sacrifice the capability of recovering the full reachability graph, then it is 
possible to optimise the incremental algorithm even further. Thus, for example, 
there is no point trying to extract tokens from a refined place if the corresponding 
abstract tokens are not even available in the abstract marking. 

There are a number of interesting avenues for future work. An important 
issue would be the development of a state storage mechanism for Maria which 
would be tailored to the special needs of incremental analysis, including direct 
access to place markings. It may even be possible to design a data structure 
which would support sharing of state information between abstract and refined 
graphs. 

It would also be interesting to investigate the extent to which the incremen- 
tal algorithms could be combined with other state space reduction techniques. 
The incremental approach seems to be orthogonal to the Symmetric Occurrence 
Graphs. Also, while it does eliminate interleaving between the activity of differ- 
ent refined nodes, it may still be improved by combination with the Stubborn 
Set approach. 
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Abstract. Reachability analysis and simulation tools for high-level nets 
spend a significant amount of the computing time in performing enabling 
tests, determining the assignments under which transitions are enabled. 
Unlike the majority of earlier work on computing enabled transition bind- 
ings, the techniques presented in this paper are highly independent of the 
algebraic operations supported by the high-level net formalism. 
Performing enabling tests is viewed as a unification problem. A uni- 
fication algorithm is presented and modifications to it are suggested. 
One variant of the algorithm constructs finite unfoldings for nets with 
unbounded domains. Some heuristics for optimising the enabling tests 
are discussed and their usefulness is evaluated based on experiments. 
The algorithms have been implemented in the reachability analyser 
Maria. 

Keywords: high-level Petri nets, reachability analysis, unification, un- 
folding 



1 Introduction 

Constructing computer-readable models for systems resembles programming in 
many aspects. High-level languages make it easier to create models or programs, 
but analysing or executing them involves an overhead, since the operations in 
the high-level specification have to be transformed to simpler operations that the 
underlying computing machinery is able to perform. This can be done either in 
one big preprocessing step that translates the whole input to a simpler language, 
or in smaller steps that interpret the high-level operations one at a time, or by 
performing a mixture of preprocessing and interpreting. 

There are several approaches to analysing high-level Petri nets. Structural 
techniques, such as determining invariants of a high-level net [E! and proving 
some properties based on them, are typically applied by humans and therefore 
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only work on relatively small, highly abstracted models. Many computer-aided 
techniques are based on exhaustive state space exploration or reachability anal- 
ysis, generating all states reachable from the initial state of the model. 

Some reachability analyser tools work on low-level nets HSl- Such tools can 
analyse high-level nets if these are unfolded, translated to low-level nets in a 
preprocessing step. A straightforward unfolding, as the one defined for Algebraic 
system nets in uni Section 5.1], may yield places not connected to any transition, 
or transitions whose input places will never become marked. 

The unfolded net of a high-level net can be reduced by analysing the high- 
level net and overestimating the set of reachable markings. The unfolded net 
needs to contain only such places that can ever become marked according to the 
estimate. Similarly, only those transitions that are connected to these places need 
to be included in the unfolded net. Even when such reductions are applied, a 
high-level model whose variables have large domains may yield an unmanageably 
large unfolding, even if the full state space of the model is moderate. 

Reachability analysis can also be performed on the high level. This is com- 
putationally more complex than analysing low-level nets, since the transitions 
may fire in different modes, depending on the values assigned to their variables. 
Compared to unfolding, analysing models on the high level usually trades exe- 
cution time for memory space. When a net is unfolded, its high-level transitions 
are processed only once. When it is analysed on the high level, the transitions 
must be “unfolded”, or interpreted in each state that is explored. 

Our approach to the reachability analysis of high-level nets is a mixture of 
preprocessing and interpreting. We perform a series of translations on the model 
and set up auxiliary data structures that make it possible to use a simpler and 
more efficient algorithm for performing enabling tests. The idea is to find efficient 
static schedulings for input arc inscriptions and to apply computationally cheap 
heuristics for pruning transitions that are disabled in a marking. 

The notations in this paper is based on Algebraic system nets, defined by 
Kindler and Volzer in [I l)j . They can be considered as a slightly more formal 
version of coloured Petri nets 0. The class of nets we consider is more generic 
than the well- formed nets used by Chiola et al. j2], Gaeta 0 and Hie et al. m 
and others at least in the following aspects: 

— data types are not limited to enumerations and tuples 

— algebraic operations may be irreversible 

— arcs may have variable-dependent weights or be multiset-valued 

The coloured nets used by Sanders m are more generic than well-formed nets 
but less generic than Algebraic system nets. His approach represents input arc 
expressions as variables with constant multiplicity. Since Sanders performs en- 
abling tests by solving constraint satisfaction problems, it is nontrivial to allow 
the arcs in his formalism to have variable-dependent weights. 

The formalism supported by our tool Maria is Algebraic system nets with 
some extensions and limitations. The main limitations are that variables on input 
arcs may not be multiset-valued, and all data types must have finite domains. 
These limitations ensure that every model in our formalism can be unfolded to 
a finite low-level net. 
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1.1 Example: Changing Money 

Figure ^illustrates a situation that could happen near a coin-operated machine. 
A customer comes to a cashier with a bank bill in his hand, asking “Could you 
break this for me?” The cashier then changes the money to an equivalent amount 
of money in smaller coins. In our algorithm, he always returns one type of coin, 
e.g. ten (T) coins for 10 units of money, and not e.g. one @ coin and five (T) coins. 




Fig. 1. An algorithm for breaking money. 



The model contains two places, customer and cashier, which represent the 
money held by the two parties. The only transition of the model has two input 
variables, big and small, the monetary values. A transition guard specifies that 
the monetary value of big must be greater than that of the change coins small. 

When the cashier receives a piece of money from the customer, he first chooses 
one of his coins and then picks enough of them so that the monetary values 
match. The output arcs of the transitions make use of special multiset-valued 
variables, which are short-hand notation of our tool for more complex arc in- 
scriptions. These variables refer to the multisets that the input arcs connected 
to the corresponding places evaluate to. Thus, the cashier receives the coins the 
customer took from his purse and vice versa. 

As we shall see later, the definition of Algebraic system nets allows arbitrary 
multiset-valued arc inscriptions. We could replace the complex inscription of 
the arc running from the place cashier to the transition in Figure Q with a 
reference to a multiset- valued variable change, and replace the transition guard 
with big = change{rn)m, requiring that no money is made or lost. Alas, this 
kind of a definition could introduce a combinatorial explosion in the analysis. 
On input arcs, our approach does not allow multiset-valued variables, but it 
does support more complex multiset-valued terms, provided that they can be 
evaluated based on variable bindings obtained from other arcs. 

2 Basic Concepts 

Before presenting our algorithm, we must define some basic concepts. We refer 
the reader to cni Section 3. 1-3.2] for a more detailed introduction to Alge- 
braic system nets and the underlying mathematical concepts. Our definition 
of algebras has some extensions to the original. Evaluation errors are helpful 
in tracking modelling errors. Our tool does not silently ignore transitions that 
cannot be fired due to errors such as arithmetic overflow. Models with variable- 
weight arcs may benefit from undefined variables. If a variable occurs only on 
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arcs whose multiplicity evaluates to zero, it does not need to be defined in order 
for the transition to be fired. Space limitations prohibit us from formally defining 
another extension, short-circuit evaluation of if-then-else expressions. 

Algebras and signatures. A signature SIG = {S, OP) consists of a finite set S 
of sort symbols and a pairwise disjoint family OP = {OPa)a<^s+ of operation 
symbols. A SIG-algebra A = {A, f) consists of a family A = of sets and 

a family / = {fop)op^OP of total functions. Let e ^ A be an error symbol and 
A'^ = As U {e}. For op G OPsi...s„s„+i, let fop : A'^^ x • • • x A'^^ -)> such 

that the image of the subset (A^^ x • • • x A'^^) \ (A^^ x • • • x As„) equals e; that 
is, whenever an argument equals e, so does the result. A set As of an algebra is 
called a domain and a function fop is called an operation of the algebra. 

In the following we assume that a signature SIG has the sort symbols 
bool,nat G S and in each S'/G-algebra the corresponding domains are A^ooi = 
B = {true, false} and A„at = N = (0, 1, . . .}. 

Variables and terms. For a signature SIG = {S, OP) we call a pairwise disjoint 
family X = {Xs)ssS with X fl OP = 0 a sorted SIG-variable set. A term, asso- 
ciated with a particular sort, is built up from variables and operation symbols. 
The set of SIG -terms over X of sort s is denoted by and inductively 

defined by: 

1. If X G A^, then x G Tf^{X). 

2. If Uk G for some k G {I,...,n| and op G OPsi...s„s„+i, then 

op{ui,. . . ,Un) G (A). 

The set of all terms (of any sort) is denoted by T'^'^'^(A). A term without 
variables, a ground term, of sort s belongs to the set = Tf'^‘^( 0 ). 

Evaluation of terms. For a signature SIG = (S', OP), a sorted S/G- variable 
set A = (As)sgs, and a S/G-algebra A = {{As)seS,ifop)opeOp), a mapping 
/3 : A — >■ A U (ej is an assignment for A iff for each s G S and x G A^ holds 
/3(x) G As U (ej where e ^ A denotes an undefined variable. We canonically 
extend /3 to a mapping j3 : T^^'^(A) — >• A U (ej by: 

1. /3(x) = (3{x) for X G A. 

2. /3(op(rti, . . .,Un)) = fop(id{ui), . . .,i3{u„)) for op{ui, . . . ,m„) G T'®-^'^(A). 
Let /?0 : 0 — >■ A U (ej be the unique assignment for the empty variable set. 



2.1 Algebraic System Nets 

Algebraic system nets are based on a special case of the algebras defined above. 
We distinguish some ground-sorts and assign a bag-sort (a finite nonnegative 
multiset sort) to each ground-sort. The domain associated with a bag-sort must 
be a multiset over the domain of the corresponding ground-sort. 
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Definition 1 (Bag-signature, S^/G-algebra). Let SIG = (5, OP) be a sig- 
nature and BS, GS C S. BSIG = {S, OP, bs) is a bag-signature iff bs : GS — >■ 
BS is a bijeetive mapping. An element of GS is ealled a ground-sort, an element 
of BS is called a bag-sort of BSIG. A SIG-algebra A — {A, f) is a BSIG-algehia. 
iff for each s S GS holds ^bs(s) = BAG(Ag) = (Ag — >■ N). 

Definition 2 (Algebraic system net). Let BSIG = {S,OP,bs) be a bag- 
signature with bag-sorts BS. An algebraic system net S = (N,A,X,i) over 
BSIG consists of 

1. a finite net N = {P, T, F) where P f\T = %, F Q {P x T) \J {T x P) and P 
is sorted over BS, i.e., P — {Ps)seBS is a bag-valued BSIG-variable set, 

2. a BSIG-Algebra A, 

3. a sorted BSIG-variable set X disjoint from P, 

4 . a net inscription i : P LIT U F — ?> such that 

a) for each p G Pg : i{p) G 

b) for each t G T : i{t) G Tf^J/^{X), and 

c) for each t G T and p G Pg and f G F with f = (p,t) (input arc) or 
f = {t,p) (output arc) holds i{f) G Tf^^^{X). 

For a place p G P, the inscription i{p) is called the symbolic initial marking of 
p; for a transition t gT, the term i{f) is called the guard oft. 

It is worth noting that Definition 0, replicated from pa Definition 3] allows 
multiset-valued operations and variables in arc inscriptions (annotations). The 
Maria tool j 1 1 11 2j makes use of both0 Arcs with variable weights are useful 
when modelling certain types of resource management. 

The basic semantics of Algebraic system nets, including the firing rule, have 
been defined by Kindler and Volzer in in Definitions 4-6]. 

2.2 Unification Concepts 

There are at least two ways to construct the set of assignments under which a 
transition is enabled. One way is to construct all possible assignments for the 
variables that occur in the arc inscriptions and in the guard of the transition, 
and to prune those assignments under which the arc inscriptions and the guard 
fail to fulfil the firing rule. This is the usual way when a net is unfolded; see 
e.g. pa Definition 13] . This approach does not work very well if the transitions 
have a large (or infinite) number of possible assignments (firing modes), and the 
transitions are enabled in only a few firing modes in the reachable states. 

Fortunately, there is a more efficient approach for the case when the input 
places of a transition are marked sparsely. The process of finding assignments or 
substitutions under which two algebraic terms are equivalent is often referred to 
as unification, e.g. P pp. 74-76]. In algebraic system nets, we can unify input arc 

^ Maria allows multiset-valued variables on output arcs, where they refer to the mul- 
tisets removed from the input places; see FigureP 
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inscriptions with a marking of the net. In this case, a unifier is an assignment for 
the transition variables under which the evaluations of the input arc inscriptions 
are contained in the corresponding input place markings. 

If the algebraic operations are not restricted, there might be prohibitively 
many unifiers. For instance, consider the constant 2 G N and the expression 
X + y. If the variables x and y are known to be sorted over nat, then three as- 
signments are possible unifiers: {(x, 0), (y, 2)}, {(x, 1), (y, 1)}, and {(x, 2), (y, 0)}. 
If the constant was n, there would be n -I- 1 different unifiers. If either variable 
was allowed to be negative, there would be infinitely many unifiers. 

In order to avoid a combinatorial explosion, we have to restrict the set of 
algebraic terms that the unification algorithm examines to find values for vari- 
ables. A natural way of making this restriction is to limit the set of operations 
the unification algorithm recognises in such a way that the choice of unifiers is 
always unique. This rules out the operation -|- in our previous example. 

We distinguish two classes of operations that are recognised by our algo- 
rithm. Reversible unary operations, such as taking the successor of an element 
in a sequence, can be “neutralised” by applying a reverse operation, such as 
the predecessor operator. Other operations that the algorithm must know are 
constructors that tie terms together. For instance, we want to be able to unify 
the variables in the term (x,y) with the constants in the ground term (1,2). 

Definition 3 (Unifier candidate, assignment compatibility). Let SIG = 

{S, OP) be a signature with the variable set X, and let A = (A, /) be a SIG- 
algebra with the error symbol e ^ A. Let OPc C OP be the set of constructor 
operations, and let rop C [OP — >■ OP) be the map of reversible unary operations 
sueh that 



Mop G dom rop : 3s, s' G S' : op G OPgs' : Va G : frop{op)ifop(a)) = a. 

Furthermore, let s, s' G S, x G Xg and T G Tf/*^(A). The variable x is said to 
be unifiable from T, denoted x <T, if 

1. T = X, or 

2. for some op G OPc and k € {!,..., n}, T = op{Ti , . . . , T„) and x o T^, or 

3. for some op G dom rop, T = op[T') and x<T'. 

Let Tg G and x <T. A unifier candidate x <t 0 T is inductively defined as 

follows: 



1. Tg, ifT = x 

^ Tk, if for some op G OPc, T = op{Ti , . . . , T„), Tg = op(Tig, . . . , T„g), 
fc G {1, . . . , n} and x < Tk, and there is no 1 < j < k such that x < Tjp or 
3. X < 1 t ^ T' , if for some op 
rop{op){T(n). 



G dom rop, T = op(T') and x <T' for TL = 



Let P : X ^ A. The terms T and T(i) are compatible under /3, denoted T Tg, 
if either 

^ Requiring the smallest k to be chosen ensures that unifier candidates are unique. 
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1. P{T)=0^in), or 

2. for some op G OPc, T = op{T\, . . . ,Tn) and Tij) = op(Ti 0 , . . . , T„ 0 ), and 
Tk ^0 Tkn, for k G { 1 , . . . , n}, or 

3. for some variable x in T, /3{x) = e. 

Continuing our example, and assuming that the operation + is a constructor, 
+ G OPc, the definition yields no unifier candidates for x and y, ii T is x + y 
and T 0 is 2. If T 0 was 1 + 2, then we would have x <t 0 T equal to 1 and y <t 0 T 
equal to 2. The terms are compatible under the assignment (3 = {(a;, 1), (j/, 2)} 
constructed from these candidates, since x + y 1 + 2. 

Restrictions of Unification. An analyser implementation can considerably 
restrict the set of operations supported by unification and the set of reversible 
operations. Maria only looks for variables inside so-called constructor terms 
which construct values of structured data types out of components. From the 
constructor term {x, {y + 1 , z)), it could find unifier candidates for x and z, but 
not for y, since y ^y + 1. It also performs constant folding by replacing ground 
terms with equivalent nullary operators. It would transform the T 0 = 1 + 2 in 
our above example to / 30 (T 0 ) = 3. 




The operation collections OPc and dom rop in Definition 0 strongly affect 
the set of unifiable variables. The more operations are contained in these sets, 
the more unifier candidates are possible. Consider the model shown in Figure 0 
If multiplication by a constant belongs to the set of reversible operations, it is 
possible to unify y from the term 2y by unifying y with the given ground term 
(2 or 4) divided by 2. 

We have not presented any algorithms yet, but we are about to face a some- 
what philosophical question. Should a unification algorithm be able to find all 
possible assignments that enable the transition, or does it suffice for the algo- 
rithm to deal with real models, and report errors for cases it cannot handle? 
An implementation that restricts the sets of supported operations is likely to be 
more efficient and less prone to errors than one that tries to handle everything. 
For instance, when making basic arithmetic operations reversible, one must take 
care of arithmetic precision and exceptional situations. 

Variables that are not unifiable by Definition 0 could be handled by nonde- 
terministically picking values for them from their domains and by checking the 
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terms for compatibility, but doing so is computationally expensive if the domains 
are large or there are many such variables. It is easier to report “variables cannot 
be unified” even though it might be possible to unify them. According to our 
experience with practical models, this works pretty well. One can always gain 
expressive power by replacing problematic terms with new variables and guards. 

Splitting the Arcs. In typical models, arc expressions consist of elementary 
multisets (single-item multiset constructor terms) combined with multiset sum- 
mation. In order to improve the granularity of our algorithm, we write each input 
arc inscription as a such combination of terms. Sanders refers to this as arc un- 
folding PH Section 3]. For instance, the rightmost arc of the model illustrated 
in Figure 0is split into two arcs, with the inscriptions 3‘a; and V(x 1). 

The claim “any arc with a non-element ary multi-set may be ‘unfolded’ into 
multiple arcs” by Sanders ca Section 3] is difficult to fulfil if the arcs contain 
multiset-valued variables or other multiset operations than the two we defined 
above. Our approach does not restrict the set of multiset operations. 

We distinguish three kinds of split arc inscriptions: ones that contain unifiable 
variables, ones that can be evaluated under a partial assignment incrementally 
constructed by our algorithm, and others. In Figure 0 the arcs l‘{x,y) and 3‘x 
contain variables that our implementation can unify. Other inscriptions can be 
arbitrary multiset-valued terms. What matters is that whenever the unification 
algorithm finds a complete assignment, all arc inscriptions are compatible under 
it with the ground terms corresponding to the given marking of the model. 

3 The Unification Algorithm 

Our unification algorithm performs a depth-first search on the input arc inscrip- 
tions of the transition, split as described earlier. The algorithm is remarkably 
simple, since it processes the arcs in a fixed order produced in static analysis. 
Static analysis also determines which variables will be unified from which arc 
inscriptions, and verifies that all variables can be unifiedlU 

The input arc inscriptions are split into items Sk = {Tk, Xk,Pk,'rnk) € 
X V{X) X P X BAG(As), k G {1, . . . ,n} for some n, such that 

— the variable sets Xk are pairwise disjoint: Xj O Xk = 0 if j yf A: 

— no Tk refers to a variable outside Uj=i ^j- S Xj) 

-ifXk = 0: Tk G 

— if Xk ^%-.Tk = T'‘T" and G A,) and MxGXk'.x^ T" 

— the input arcs of the transition and their inscriptions can be constructed 
from all places pk and split inscriptions Tk via multiset summation 

The last component, ruk, is a place-holder for the multiset the term is supposed 
to evaluate to. Our algorithm does not refer to it before initialising it; for con- 
venience, we can assign it to the empty multiset here. 

^ A variable unified from a variable-multiplicity arc may remain undefined if the mul- 
tiplicity of the arc evaluates to zero. 
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The input arcs of the only transition in Figure |3 can be split e.g. so that 

51 = {Ti,Xi,pi,mi) = (3‘a;, {x}, right, 0) 

52 = (72, X2,P2,m2) = {V{x, y), {y}, middle, 0) 

53 = {T3, X3,p3, m3) = (l‘(a; + 1), 0, right, 0) 

^4 = (T4,X4,p4,m4) = (l‘2y,0,left,0). 

The first components of the tuples are the split arc inscriptions. The second 
components are the “new” unifiable variables. Let us observe S2 a bit more 
closely. We have X2 = {y}, although also x could be unified: x<{x, y). Including 
X in X2 would violate the disjointness property, since x € X\. In a sense, the 
variable x will “already” be unified from S\. Also, the terms T3 and T4 are 
“constant” since their variables can be unified from the earlier arcs S\ and 82- 

3.1 The Basic Algorithm 



Analyse arcs S\..Sn w.r.t. marking M 
Analyse(S', n, M): 

/3^(ULi^^)x{4 

Analyse- Arcs (S', 1, n, M, /3) 



Analyse arc Sk, augment P 
Analyse- Variable(S, k, n, M, P): 



Analyse arcs Sk--Sn w.r.t. M and P 
Analyse- Arcs(S, k, n, M, P)-. 
if k = n then print P 
else o Sfe = (Tk,Xk,Pk,mk) 

if Xk = 0 then 

Analyse-Constant(S, k, n, M, P) 
else 

Analyse- Variable(S, k, n, M, P) 
Evaluate arc Sk 

Analyse-Constant(S, k, n, M, P): 

Sk ~ {Tk^ Xk^ Pk: rrik} 
mk P{Tk) 
if mk = e then 

print “undefined arc” , P, Tk 
else 

if M{pk) > mk then 
M' ^ M 

M'{pk) M{pk) - mk 
Analyse- Arcs (S, k + l,n, M, p) 



Sk — iPEk^ Xk^Pk^m.k') 

> Tfc = U‘t;; 

c ^ Pin) 

if c = e then 

print “undefined multiplicity” , P, Tk 

return 
if c = 0 then 

mk ^ 

Analyse- Arcs(S, fc -|- 1, n, M, P) 
else 

for each m : M{pk) > dm do 
mk <— dm 
p' ^P 

for each x € Xk do 

P'ix) ^ [X Tk) 
if n ~/ 3 ' rnj then 
M' ^ M 

M'ipk) M{pk) - mk 
Analyse-Arcs(S, k + l,n, M' , P') 



Fig. 3. The unification algorithm. 



Our unification algorithm is presented in Figure 0 The computation is ini- 
tiated by invoking Analyse with the split input arc inscriptions S and their 
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amount n and a marking M : P ^ BAG(A) of the net. The computation step of 
the depth-first search is divided into two alternatives: processing a “constant” 
arc (arc with no new bindable variables), and obtaining new variable bindings 
from an arc. 



An Example. Continuing our running example from Figure|2| the call to Anal- 
yse on the initial marking of the model proceeds as follows. The assignment is 
initialised to (3 = {(x, e), (y, e)}, and control is passed to Analyse-Arcs and 
further to Analyse- Variable. The multiplicity of Ti = 3‘x evaluates to c = 3. 
Now Analyse- Variable loops over all items in the marking of right whose 
multiplicity is at least 3. It turns out that m = 2 is the only choice. 

A new assignment with (3'{x) = 2 is computed. Since all terms unified so 
far are compatible under this assignment, the multiset is reserved from the 
marking and the control is transferred to Analyse- Arcs, which passes it again 
to Analyse- Variable to handle the next term, V{x,y). Both tokens in the 
place middle are tried, but only (2,1) passes the compatibility check with x. 
Therefore, the assignment is transformed to /?' = {(x,2), {y, 1)}. 

The remaining two arcs are handled by Analyse-Constant, which ensures 
that there are enough tokens for them. Finally, Analyse-Arcs prints out the 
assignment. At this point, the marking passed to it equals the original marking 
minus the evaluations of the input arcs under the assignment. The algorithm 
starts to backtrack. Since there were no other feasible choices in either active 
instance of Analyse- Variable, the algorithm terminates. 



Some Remarks. For the sake of simplicity, the illustrated procedures do not 
cover guards. In our implementation, guards are split to terms combined via 
logical conjunction. Whenever all the variables of a guard term become defined 
(due to assignments to (3'{x) in Analyse- Variable), the term is evaluated. If 
the guard evaluates to false, the algorithm backtracks, just like it does in case 
a term T^, becomes incompatible. If an evaluation error occurs, the algorithm 
displays the assignment for diagnostics and backtracks. 

Procedure Analyse- Variable evaluates the multiplicity of a term T^. When 
the multiplicity evaluates to zero, the variables in remain undefined. As a 
result of this, the completed valuations displayed by Analyse- Arcs may contain 
undefined variables. This is not a problem if these variables are never evaluated 
due to short-circuit evaluation. Otherwise an error may occur when the transition 
is fired and its output arcs are evaluated. Also, before firing a transition, our 
implementation ensures that the guard evaluates to truefl 



Correctness. The calling hierarchy of the algorithm is straightforward. The 
main procedure Analyse invokes Analyse- Arcs, which passes control to ei- 

Traditionally, “don’t care” variables are assigned a nondeterministic choice of values 
from their domains. This generates unnecessary transition instances with identical 
behaviour. To avoid this, we assign these variables the special value e. 
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ther Analyse-Constant or Analyse- Variable, which in turn call Analyse- 
Arcs. Each recursive call to Analyse- Arcs increments k, and the recursion 
terminates at k = n. 

The assignment passed to Analyse- Arcs initially maps each variable to the 
undefined value. The only place where the assignment is modified is in Analyse- 
Variable, where only previously undefined variables can be assigned^ 

When Analyse- Arcs is invoked with k = n, the evaluation of the arc in- 
scriptions under the gathered assignment is a subset of the marking passed to 
Analyse. This follows from two facts. Firstly, whenever the algorithm unifies an 
inscription and a multiset, it ensures that the marking contains the multiset and 
removes the multiset from the marking used for unifying further inscriptions. 

Secondly, all split arc inscriptions are evaluated and ensured to match the 
multiset assigned to them. The procedure Analyse-Constant evaluates the 
split arc inscription under the assignment gathered so far. In the procedure 
Analyse- Variable, the relationship between arc inscriptions and markings is 
restricted by the compatibility check Aj=i ~/3' the deepest call to 

Analyse- Variable, all variables have been assigned, and the compatibility 
check is equivalent to Aj=i 

To be sure that the algorithm finds all assignments or reports errors, we must 
investigate the conditions under which it backtracks without reporting anything. 
The procedures Analyse and Analyse-Arcs do not backtrack. Analyse- 
CONSTANT does backtrack when an input place would have an insufficient mark- 
ing, when the test M{pk) > ruk fails. Analyse- Variable silently backtracks 
when the arc inscriptions unified so far would be incompatible under the assign- 
ment, causing the test Aj=i A '^0' Clearly, all assignments under 

which transitions are enabled must pass these tests. Therefore, the algorithm 
finds all relevant assignments. 



3.2 Firing Transitions 

At the moment when Analyse- Arcs displays a completed valuation /3, the 
marking M passed to it is exactly the original marking passed to Analyse, 
minus the evaluations of the input arc inscriptions under (3. Transition firing 
can be integrated to our enabling test algorithm by just replacing the print 
statement with something that binds the rest of the variable^ and adds the 
evaluations of the output arcs to M. 

Our current implementation of the algorithm combines enabling tests with 
firing. This is useful when all immediate successors of a state are to be generated, 
since there is no need to explicitly store the assignments. Also, if input and 
output arcs have similar inscriptions, some output arc inscriptions may have 

® The variables are previously undefined, since the variable sets Xk are required to be 
pairwise disjoint. 

® In our implementation, output arc inscriptions may make use of nondeterministically 
bound variables and multiset-valued variables that represent the tokens removed 
from the input places. 
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already been evaluated on the input side, and applying an optimisation technique 
called common subexpression elimination can save computations. 



3.3 Unfolding 

With slight modifications, the enabling test algorithm can also be used for un- 
folding Algebraic system nets to compact Place/Transition nets. Doing so has 
at least the following advantages: 

— simple modifications: easy implementation, small chance of errors 

— smaller unfolded net: 

— no unconnected places 

— sometimes finite unfoldings for nets with infinite domains 

There are two unfolding options in Maria: reduced and traditional. The latter 
option essentially implements the traditional definition of unfolding, e.g. ^3 
Definition 13], generating all possible assignments for all transitions. It doesn’t 
generate all low-level places, though; only places that are connected to a low-level 
transition or are initially marked are generated. 

The reduced unfolding option works by maintaining a set of low-level places 
that can ever be marked. This set is represented as a marking M of the high-level 
net. For all places p G P that contain tokens m in the marking, M{p){m) > 0, 
there exists a low-level place {p, m) . This marking is constructed incrementally, 
starting from the initial marking of the net. 

The multiset containment comparisons M{pk) > mk in Analyse-Constant 
and Analyse- Variable are modified so that they ignore the exact multiplici- 
ties: M{pk) ^ ruk if and only if for each d such that mk{d) > 0, it holds that 
M{pk){d) > 0. 

Once the modified algorithm completes an assignment /3 of a transition t, it 
must unfold the input and output arcs of the transition. Our implementation 
accomplishes this by constructing two collections of multisets for the high-level 
input and output arcs: M_(p) := f3{i{{p,t))) and M+{p) := (3{i{{t,p))). For each 
value d such that M-{p){d) > 0, it constructs a low-level input arc of weight 
M_{p){d) from the low-level place (p,d) to the low-level transition The 

output arcs are constructed in similar way. The marking M is augmented with 
M+ . The algorithm keeps unfolding the high-level transitions in different modes 
until no new items are introduced in M . 

When applied to the net illustrated in Figure ^ this algorithm yields the 
place/transition system illustrated in Figure 0 no matter how big domains the 
high-level places have. It can be easily seen that if the initial marking of this 
net contains n different tokens, the unfolded net can have at most 2n places and 
+ n) transitions. 

It should be noted that also the reduced unfolding may be unmanageably 
large even if the high-level system has a small state space. A minimal unfolding 
(with no dead places or transitions) could be extracted from the full reachabil- 
ity graph of the high-level system by constructing only those low-level places 
that ever become marked and those transitions that ever fire. In the case of 



Optimising Enabling Tests and Unfoldings of Algebraic System Nets 295 




Fig. 4. A reduced unfolding of the net presented in Figure Q 



Figure 0 the reduced unfolding is also a minimal unfolding, since all transitions 
are enabled in the initial state and there cannot be dead places or transitions. 

4 Optimisation Techniques 

The first unification algorithm implemented in Maria was very dynamic. It even 
rewrote input arc expressions on the fly, expanding multiset summations whose 
limits may depend on other variables. The first optimisation step was to expand 
quantifications in the parsing stage, transforming dynamic limits to variable- 
dependent multiplicities, so that the arc expressions remained static during the 
analysis. This improved the overall performance of the tool by 15-20 percent. 
At the same time, we started to make experiments with executable code gener- 
ation m Using the C program code generated by our current implementation 
usually shortens the analysis times to less than a third of the times consumed 
by the interpreter written in C-|— 1-. 

Previously presented algorithms, such as dynamically schedule the 

input arcs. When we replaced dynamic scheduling with static scheduling in our 
implementation, we noticed a significant performance boost, 20-30 percent. This 
is mainly due to less bookkeeping, as the variables are always unified in the same 
order 0 Dynamic scheduling may provide shortcuts for simulators that randomly 
pick one assignment for firing a transition without generating all assignments. 

4.1 Representing Multisets 

It is important to choose the right data structures for representing multisets in 
the enabling test algorithm. It appears that we are not the first ones to come up 
with binary search trees. Haagh and Hansen |Hl Chapter 3] suggest using a form 
of balanced binary trees. 

Our implementation uses two representations for markings: encoded (used for 
storing states) and expanded (for computations) . The expanded representation is 

^ Variables that are unifiable from several variable-multiplicity arcs and no constant- 
multiplicity arcs form an exception. Our implementation attempts to unify them 
from each arc having nonzero multiplicity. 
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a binary search tree whose keys are multiset items and values are multiplicities. 
When a multiset is decoded from the state storage, only items with nonzero 
multiplicity are added. When items are removed from the tree, their multiplicities 
are set to zero. Since single items are never removed from the multiset, there is 
no need for costly balancing operations. 

According to our experiments, using unbalanced trees is faster than using 
red-black trees if the places contain a small number of distinct tokens in the 
reachable markings. Even though unbalanced trees easily degenerate to linked 
lists, and searches may have to process n nodes instead of [log 2 n \ , the savings in 
insertions dominate for small values of n. Our executable code generator contains 
an option for enabling or disabling red-black trees. 



4.2 Static Heuristics: Sorting the Arcs 

We use multisets in two remarkably different ways. Analyse-Constant (Fig- 
ure n performs one containment comparison on a multiset and calls Analyse- 
Arcs zero or one times. Analyse- Variable may iterate through all items in a 
multiset and invoke Analyse- Arcs for any number of them. 

Let us assume that our enabling test algorithm is invoked on a sequence of 
n arcs, k of which are constant. Furthermore, let us assume that all multisets 
contain m distinct items. If the constant arcs are processed first, the search 
tree will consist of a linear sequence of k calls to Analyse-Constant followed 
by a tree of Analyse- Variable invocations. There will be at most k + 
recursive calls to Analyse- Arcs. The other extreme, analysing constant arcs 
as late as possible, yields at most {k + recursive calls. 

The proportion of these numbers of iteration steps is 

k + k 1 1 1 

{k + fc -I- 1 fc -I- 1 fc -I- 1 ’ 

and the approximation is pretty good already for m = 2. Thus, if there are k 
constant arcs, it is about k times slower to analyse them at the leaves of the 
search tree than at the root. The difference becomes even more significant if the 
transition only has a few enabled instances in each marking and most instances 
of Analyse-Constant backtrack. The earlier this can happen, the better. 

The problem, finding an optimal static scheduling that minimises the number 
of Analyse- Arcs calls, becomes more complicated when we consider the fact 
that Analyse-Constant can handle non-ground terms that can be evaluated 
under the assignment generated so far. Intuitively, an optimal scheduling should 

— minimise the number of arcs from which variables are unified, and 

— minimise the worst-case number of multiset iterations, and 

— schedule the remaining arcs as early as possible in such an order that the 
algorithm is most likely to backtrack early. 

Especially the last requirement is difficult to fulfil in static analysis. We apply 
Gaeta’s “Less Different Tokens First” policy ^ Section 5.1] and compute the 
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maximum numbers of distinct items in the input places. A multiset associated 
with a place whose domain is BAG{As) can have at most |As| distinct items0 
Let us shortly return to our example from Figure El If we assume that the 
domain sizes of the places left, middle and right are d, d"^ and d for some d > 
1 , then the scheduling we presented in the beginning of Section 0 is not very 
optimal. In the worst case, it iterates through d items in right and items in 
middle, at most d of which can pass the compatibility requirements. Analyse- 
Arcs can be invoked 1 + d(l + d(l + 2)) = 3d^ + d + 1 times, and Analyse- 
Variable may scan up to d + d^ multiset items. Scheduling the term l‘(a: + 1) 
before V{x,y) would reduce the maximum number of invocations to 1 + d(l + 
1 + d(l + 1)) = 2d^ + 2d + 1. The same number of multiset items need to be 
scanned in the worst case, but if analysing the term l‘(a; + 1) fails every time, 
the d^ scans for V{x,y) can be avoided. 

Gaeta divides input arc expressions to three categories: simple, complex and 
guarded. We use four categories: closed arcs (arcs that may only depend on 
already unified variables), constant-multiplicity arcs with unifiable variables, 
variable-multiplicity arcs with unifiable variables, and other arcs. 

We have implemented a depth-first search algorithm for splitting the input 
arc inscriptions as described in the beginning of Section 0 Since the algorithm 
has exponential complexity with regard to the number of split arcs containing 
unifiable variables, we programmed a special condition that terminates the search 
when a solution is found with more than five arcs containing unifiable variables. 

Our algorithm uses three cost functions. The primary cost function is the 
number of variables that will be unified from variable- multiplicity arcs. The 
secondary cost function is a sum of costs C 2 {Sk) for each arc Sk = (Tfe, Xk,Pk, mk) 
defined as 

_,_/0 

C2l*0- ifx, = 0 



where the square brackets map truth values to 0 and 1. Thus, for closed arcs, 
the secondary cost is the number of preceding non-closed arcs. Minimising this 
cost ensures that all closed arcs will be scheduled as early as possible. 

As a shortcut, our algorithm prioritises closed arcs over arcs with unifiable 
variables. Every time the algorithm picks an arc with unifiable variables, some 
of the remaining arcs may become closed. Only after the closed arcs run out, 
the algorithm picks the next arc with unifiable variables. If the only arcs left are 
in the “other” category, the search backtracks. If no complete schedulings are 
found, a unification error will be reported. 

The third and last cost function is the maximum number of iterations possible 
with the scheduling. For each split arc Sk = {Tk, Xk,Pk,'mk), we define 




if Wfc 0 
if Xfc = 0 



® If the multiset is associated with a maximum cardinality, then it is another limit. 
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where m{pk) denotes the maximum possible number of distinct tokens in the 
place pk- The total cost is defined as 



C 3 (^l) • (1 + 03(82) ■ (1 + 03(^3) • (1 + • • •))) 



where the term (1 + • • •) after the last cost C 3 (Sn) is replaced with 1. 



total 
C2 0 0 2 2 

C 3 3 2 1 15 




C2 0 1 0 1 

C 3 2 1 3 10 



total 
C2 0 0 0 0 

C 3 1 3 2 10 



total 
C2 0 0 0 0 

C 3 1 2 3 9 






Fig. 5. Minimising Search Trees with Cost Functions 



Figure 0 demonstrates the relation between the secondary and ternary cost 
functions. It illustrates the maximal search trees imposed by four different or- 
derings for three split arcs, one of which is constant. The constant arc is the 
only contributor to the secondary cost, and scheduling it first minimises the 
secondary cost. The total ternary cost is the maximum number of recursive in- 
vocations to Analyse- Arcs, denoted in the figure with opaque circles. The 
scheduling presented on the right implies the smallest tree, 9 nodes. 

The algorithm selects a scheduling that has the minimum primary cost, num- 
ber of variables unified from variable- multiplicity arcs. If there are several such 
schedulings, then the one with the least secondary cost is selected. If that selec- 
tion is not unique, then one with the smallest ternary cost is chosen. 

As a finishing touch for the found static scheduling, our algorithm sorts 
contiguous sequences of closed terms in such a way that arcs whose places have 
the smallest number of distinct tokens are scheduled first. This enforces Gaeta’s 
“Less Different Tokens First” policy. 

4.3 Dynamic Heuristics 

Caching. Hie and Rojas suggest in jSl Section 3.4] that to speed up a simulator, 
one could build up a cache that maps input place markings of transitions to sets 
of enabling assignments. In our experiments, it turned out that in exhaustive 
reachability analysis, this kind of cache is only useful when there are a large 
number of states in which the input places of a transition are marked in exactly 
the same way. 

In simulations of timed nets, where exactly the same states are visited over 
and over again, using such caches may pay off if the bookkeeping overhead 
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(comparing and duplicating input place markings and copying associated sets 
of enabling assignments) is smaller than the cost of computing the enabling 
assignments from the scratch. This depends on the implementation, on the size 
and the scheduling policy of the cache and on the model. 

We experimented with an artificial model, one of whose transitions had n 
input arcs from a place holding n tokens, with a total of n\ enabled assignments. 
For n = 7, generating the 5040 assignments took several thousands of times 
longer than a cache look-up. In more realistic models, we witnessed differences 
of at most a few percent. In many models, such as the dining philosophers |2j or 
the distributed data base management system j^, all cache look-ups failed. Due 
to this experience, we decided to eliminate the cache altogether and to integrate 
transition firings with enabling tests. This improved the execution times by about 
ten percent. 



Cardinality Tests. Gaeta ^ Section 4.3] has implemented heuristics for de- 
tecting when a transition is disabled. He keeps track of the number of tokens in 
each input place. If a place contains less tokens than a transition would consume, 
the transition cannot be enabled and the search for enabling assignments can be 
avoided. 

Our implementation of the cardinality test needs to consider arcs with vari- 
able multiplicity. Their multiplicities are assumed to be zero. Since the heuristics 
is implemented in generated code, the comparisons can be omitted if they are 
known to hold. In Maria models, it is possible to speed up analysis by specifying 
conditions on the amounts of tokens places may hold in reachable markings. 

4.4 Some Experimental Results 

Maria uses an explicit technique for maintaining the set of reachable states and 
the transition instances leading from one state to another. Everything related 
to the reachability graph is kept in disk files ng. Because of this, the analyser 
spends most of its execution time checking whether an encoded state exists in 
the reachability graph. In our tests, Maria has generated full state spaces of 
converted Prod HS| models in 0.5 to 1 times the Prod speed. One explanation 
for the slowness is that Maria detects evaluation errors and supports much more 
powerful algebraic operations than Prod, which makes optimisations in the C 
code generation difficult. Also, it is possible to use probabilistic verification with 
Maria. When no arcs are stored and a reachability set is maintained in memory, 
the tool performs an order of magnitude faster. 

Analysing the biggest state space so far with Maria, a translation of a 
radio link control protocol specified in SDL consisting of 15,866,988 states and 
61,156,129 events, took 5 megabytes of memory and 1.55 gigabytes of disk space, 
most of which was consumed by the arc inscriptions and double links stored with 
the reachability graph. The analysis was completed in less than nine hours on a 
266 MHz Pentium II system. 

Table Dl lists some models we have analysed and unfolded in Maria. All 
models except “rlc” are distributed with the tool. There are three figures for 
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Table 1. Unfoldings and State Spaces of Selected Models 



Model 


Folded 
|P| \T\ 


Unfolded Reduced 

|P| |T| |P| \T\ 


Minimal 
|P| |T| 


State Space 
states arcs 


dining(lO) 


2 


3 


40 


30 40 


30 


40 


30 


6,726 


43,480 


dbm(5) 


8 


4 


111 


60 96 


50 


96 


50 


406 


1,090 


dbm(lO) 


8 


4 


421 


220 391 


200 


391 


200 


196,831 


1,181,000 


sw(l,l) 


12 


9 


41 


422 35 


288 


35 


54 


164 


352 


sw(2,2) 


12 


9 


2,048 1,087,382 729 239,478 


129 


688 


2,640 


7,716 


sw(6,6) 


12 


9 


- 


- - 


- 


9,805 145,464 


1,774,716 


7,127,688 


resource 


4 


3 


336 


8,158 193 


4,610 


111 


45 


538,318 


4,136,459 


rlc 


18 104 


708 


14,736 114 


1,429 


- 


- 


15,866,988 61,156,129 



unfolded net sizes. The first column is for “traditional” unfoldings, excluding 
unconnected places; the second is for unfoldings reduced with our method, and 
the third is for minimal unfoldings obtained from the reachability graph. 

The model named “resource” solves a resource allocation problem. On our 
system, Maria generates its full reachability graph in 26 minutes, using 3 
megabytes of memory and 85.7 megabytes of disk space. With the default capac- 
ity limit, LoLA consumes 4 minutes less time but about 530 megabytes more 
memory on the reduced unfolding of this model. We tried to tighten the capacity 
limit to save memory but failed, because the limit is global for all places. 

Reduced unfoldings work best for models with a sparse state space, i.e. only 
a fraction of the possible states are actually reachable. For some theoretically 
pleasing symmetric models, our reduced unfolding does not gain much. 

We have the feeling that models of communication protocols, especially those 
translated from a high-level programming language, have sparse state spaces. 
The sliding window protocol model we experimented with (“sw” in Table Q) is a 
good example of this. Already with very small window sizes its traditional un- 
foldings become unmanageably large. Even the reduced and minimal unfoldings 
are not very helpful for larger window sizes. This is because all buffer reads and 
writes in the model are atomic, which reduces the reachability graph but makes 
the unfolding explode. 

5 Conclusion and Future Work 

Earlier work on performing enabling tests for high-level nets appears to be lim- 
ited to nets whose arc inscriptions have constant weights. According to Kindler 
and Volzer m. it is difficult to model distributed network algorithms under 
such limitations. They present Algebraic system nets as a solution, but do not 
define any algorithms for analysing these nets on the high level. 

We viewed enabling tests for high-level nets — constructing the set of assign- 
ments under which a transition is enabled in a given marking — as a unification 
problem, matching multiset- valued terms and subsets of constant multisets. Our 
approach avoids the combinatorial explosion inherent in this problem by dis- 
allowing multiset-valued variables on input arc inscriptions, by restricting the 
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set of operations recognised by the unification algorithm, and by requiring that 
variable-dependent weights and arbitrary multiset-valued terms can be evaluated 
based on variable bindings gathered from other terms. 

Our reachability analyser Maria supports queues and stacks on the data type 
level. Powerful operations, such as removing multiple items from the middle of a 
queue, make it easy to construct compact high-level models. Experiments show 
that it is often infeasible to unfold such models in the traditional way. Special 
constructs for translating large blocks of atomic operations in high-level nets 
into behaviour-equivalent compact low-level nets are subject to further research. 

The presented unification algorithm processes terms in a fixed order. A 
method for statically ordering the terms in a close to optimal way was presented, 
and some optimisations to the algorithm were discussed. Some of the presented 
techniques may be best suited for exhaustive analysis tools; their applicability 
in simulators was not tested. 

A new method for unfolding high-level nets based on a kind of “coverable 
marking” was presented. The method often produces considerably smaller un- 
foldings than the common approach of iterating over all domains. 
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Abstract. PBC {Petri Box Calculus) is a process algebra where real 
parallelism of concurrent systems can be naturally expressed. One of 
its main features is the definition of a denotational semantics based on 
Petri nets, which emphasizes the structural aspects of the modelled sys- 
tems. However, this formal model does not include temporal aspects of 
processes, which are necessary when considering real-time systems. The 
aim of this paper is to extend the existing calculus with those tempo- 
ral aspects. We consider that actions are not instantaneous, that is, their 
execution takes time. We present an operational semantics and a denota- 
tional semantics based on timed Petri nets. Finally, we discuss the intro- 
duction of other new features such as time-outs and delays. Throughout 
the paper we assume that the reader is familiar with both Petri nets and 
PBC. 

1 Introduction 

Formal models of concurrency are widely used to specify concurrent and dis- 
tributed systems. In this research field, process algebras and Petri nets are well- 
known. Each of them has its own advantages and drawbacks: In Petri nets and 
their extensions one can make assertions about events, even if causality rela- 
tions are not given explicitly. Emphasis is put on the partial order of events and 
on structural aspects of the modelled systems. However, their algebraic basis 
is poor, thus modelling and verification of systems are affected. On the other 
hand, the main feature of process algebras is the simple algebraic characteriza- 
tion of the behaviour of each of the syntactic operators, although it is true that 
in most of the cases, we obtain it by losing important information concerning 
event causality. 

Recently, anew process algebra, PBC {Petri Box Calculus) [lEE], has arisen 
from the attempts to combine the advantages of both Petri nets and process 
algebras. When defining PBC the starting point were Petri nets and not any 
well known process algebra, so their authors looked for a suitable one whose 
operators could be easily defined on Petri nets. As a consequence, they obtained 
a Petri net’s algebra which can be seen as the denotational semantics of PBC ^ 
Eld] and since Petri nets are endowed with a natural operational semantics, we 
also also derive an operational semantics of the given process algebra which can 
be also directly defined by means of Plotkin-like syntax-guided rules. 



J.-M. Colon! and M. Koutny (Eds.): ICATPN 2001, LNCS 2075, pp. 303-^^^ 2001. 
(c) Springer- Verlag Berlin Heidelberg 2001 
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Nevertheless, these models do not include any temporal information, and 
it is obvious that some kind of quantitative time representation is needed for 
the description of real-time systems. Many timed process algebras have been 
proposed. Among them we will mention: timed CCS [Ilj, temporal CCS 0, 
timed CSP jini and timed Observations 0. Besides, since long time ago we 
have several timed extensions of Petri nets like Petri nets with time 0, and 
timed Petri nets 0. 

The aim of this paper is to extend PBC with time maintaining its main prop- 
erties and the basic concepts in which it is based. In this way, we propose TPBC 
{Timed Petri Box Calculus). Our model differs from the previous approach by 
M. Koutny 0 in several relevant aspects, among which we mention the duration 
of actions and the nonexistence of illegal action occurrences. Both models cor- 
respond to different ways of capturing time information, and as a consequence 
they are not in competition but are complementary. 

Here we consider a discrete time domain. Most of the systems which we are 
interested in can be modelled under this hypothesis, and some of the definitions 
and results in the paper can be presented in a more simple way. Our results 
cannot be generalized to the case of continuous time, because of the fact that 
discrete time cannot be considered just as a simplification of continuous time. 

In order to improve the readability of the paper, we will layer the presenta- 
tion: first we present a simple extension in which actions have a minimal dura- 
tion, that is, we allow that their executions will take more time than expected. 
We can find an intuitive justification of this fact considering the behaviour in 
practice of real-time systems. One usually knows which is the minimum time 
needed to execute a task, but depending on how it interacts with the environ- 
ment, it could take more time than expected. Besides, even if we consider that 
the duration of each action is fixed, when we execute an action a whose minimal 
duration is d but the real duration is d' > d, we could consider that we are just 
representing a delayed execution of the action, which would start after d' — d time 
units, in such a way that d would still be the effective duration of the action. 

In this simplified timed extension there is no limit to the time a process 
can be idle without changing its state. So, we cannot model in it any kind of 
urgency or time-out. In order to do it, we present in Section 6 of the paper a 
more elaborate extension where these characteristics are introduced. 

As we said before, we introduce time information by means of duration of 
actions instead of combining delays and instantaneous actions. There are several 
reasons that justify our choice. First, one can find in the literature both kind of 
timed models; since Koutny has already investigated the other case, by studying 
here the case of actions with duration we are somehow completing the picture. It 
is true that similar results to these in the paper could be obtained for the case of 
delays and instantaneous actions, although the corresponding translation could 
be non-immediate in all the cases. But it is not the consideration of actions 
with duration what makes our models rather more complicated than Koutny’s 
one: The introduced complications are necessary in order to avoid illegal action 
occurrences. We will compare more in depth the two timed models in the last 
sections of the paper. 
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2 The TPBC Language 

Although probably it would be more than desirable, by lack of space we cannot 
give here a fast introduction to PBC. Unfortunately, this is a technically involved 
model whose presentation require several pages ITEin . But you can also infer 
from our paper the main characteristics of PBC, just by abstracting all the 
references to time in it. 

Throughout the paper we use standard mathematical notation. In particular, 
the set of finite multisets over a set S is denoted by AI(5), and defined as the 
set of functions a : S — >■ W such that { s G 5 | a(s) 0 } is finite. 0 denotes 
the empty multiset, and {o} is a unitary multiset containing a. 

To define the syntax of TPBC, we consider a countable alphabet of labels A, 
which will denote atomic actions. In order to support synchronization we assume 
the existence of a bijection ^ : A — > A, called conjugation, by means of which 
we associate to each label a G A a, corresponding one a G A. This function must 
satisfy the following property: \/a G A a ^ a A a = a. 

As in plain PBC, the basic actions of TPBC are finite multisets of labels, 
called bags. In the prefix operator of the language each bag a G A4{A) carries 
a duration d G IN'^ , thus we obtain the basic action a : d. In the following, we 
will denote by BA = A4(A) x IN^ the set of those basic actions. 

The rest of the syntactic operators in TPBC are those in PBC. Although 
recursive processes have not been included, the calculus is not finite: We have 
infinite behaviours due to the presence of the iteration operator. 

Definition 1 (Static expressions). A static expression of TPBC is any 
expression generated by the following BNF grammar: 

E ■.:= a : d\E-E\ EUE \ E\\E \ [E * E * E\ \ E[f] | A sy a | A rs a | [a : E] 

where d G and f : A — >■ A is a conjugate-preserving function. The set of 
static expressions of TPBC is denoted by Expr^ , and we use letters E and F to 
denote its elements. 



3 Operational Semantics 

The operational semantics of TPBC is defined by means of a labelled transition 
system including two types of transitions: instantaneous transitions, which re- 
late equivalent processes, and non-instantaneous transitions, which express how 
processes evolve due to the execution of actions and the progress of time. The 
set of states of this transition system corresponds to a new class of expressions, 
the so called dynamic expressions. 

Definition 2 (Dynamic expressions). A dynamic expression of TPBC is 
any expression generated by the following BNF grammar: 

G ::= A I A I | G; A | A; G | CUE \ EUG \ G||G | 

[G * E * E]\[E * G * E]\[E * E * G] \ G[f] | G sy a | G rs a | [a : G] 
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where d G IN^ , d' £ IN and f is a conjugate-preserving function from A to A. 
The set of dynamic expressions of TPBC will he denoted by Expr'^, and we use 
letters G and H to represent its elements. 

In the definition above the static expressions of the calculus are marked with 
three types of barring: overlining, underlining and executing barring. The first 
two have the same meaning as in PBC: E denotes that E has been activated and 
it offers all the behaviours E represents, whereas E_ denotes that the process E 
has reached its final state and the only move it can perform is letting time pass. 
Finally, the dynamic expression a: d,d' represents that the action a G A4(A) 
has begun its execution some time ago with a minimum duration of d time units, 
and from now on its execution will take d' time units until it terminates. 

Since we are interested in expressing locally the passage of time, and it is at 
the level of basic actions where this can be done in a proper way, the overline 
operator will be distributed over the current expression until a basic action is 
reached. Then the executing bar only be applied to this kind of actions. 

As we already mentioned, non-instantaneous transitions represent the execu- 
tion of actions and their labels indicate which bags have just begun to execute 
together with their durations. This information is expressed by means of timed 
bags, ad', which consist of a bag a and a temporal annotation d' G TST^ . The set 
of timed bags will be denoted by T^B. 

Timed bags express the first level of concurrency we can distinguish in a 
concurrent system. They represent the simultaneous execution of atomic actions 
in the same component of the system. To cover also a second level, which rep- 
resents the concurrent evolution of the different components of the system, we 
introduce timed multibags, which are finite multisets of timed bags. 

Thus non-instantaneous transitions have the form G ^ > G' , where E G 
M{TB). This can be interpreted as follows: process G has changed its state to 
G' by starting to execute the multiset of timed bags E during one unit of time. 
More in general, we assume that each labelled transition represents the passing 
of one time unit. As a consequence, the execution of a multibag T is only ob- 
servable (at the level of labels of the transition system) at the first instant of 
it. Afterwards, we will let time to progress until the execution of E terminates, 
although in between the execution of some other actions whose performance do 
not need the termination of E could be initiated. 

The passage of one time unit without starting the execution of any new bag 
is represented by transitions labelled by 0. Since for any overlined or underlined 
process we let time pass without any change in the state, we have the rules: 

E-^E (VI) E-^E (V2) 

Instantaneous transitions take the form G < — > G' , and their intended meaning 
is that the involved process has these two different syntactic representations: 
G and G' . Therefore this kind of transitions relates expressions with the same 
operational behaviour. 
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3.1 Transition Rules 

In this section we first present those transition rules that represent the timed 
aspects of our model. They are basic actions rules and synchronization rules. 
We also provide the operational semantics of iteration, since it is not common 
in most of process algebras. The rest of the operators behave as in the untimed 
model pag. A complete set of rules will appear in the PhD thesis of the first 
author (see ^ for a partial preliminary version). 

o7d > a :'d^- 1 if d' > d (Bl) oTdTd' a : d^- 1 if d' > 0 (B2) 

a : d,0 < — >■ a : d (B3) 

Operational semantics of basic actions 

E sj a i — y E sj a (SI) 

— - (S2a) 

G sy a < — > G sy a G sy a >G' sy a 

G sy a >G sy a 

G sy a >G sy a 

Esy a < — > E sy a (S3) 

Operational semantics of synchronization 



(S2b) 

(S2c) 



[E*E*E']< — y[E*F*E'] (Itl) 

^ (It2a) 

[G*F*E] i — [G' *F*E] [G*F* E]^[G' * F * E] 

[E*F* E'] i — [E*F* E'] (It2c) \E*F*E'] < — [E * F *W] 

(it3a)^ — ^i^ - - — . 

[E*G*E']i — >[E*G'*E'] [E * G * E']^[E * G' * E'] 

[E*F* E'] i — [E*F* E'] (It3c) [E*F* E'] i — > [E * F *W] 

G^G' (it4a) g^g' 

[E*F*G]i — >[E*F*G'] [E*F*G]^[E*F*G'] 

[E*F*^] < — ^ [E*F* E'] (Its) 



(It2b) 

(It2d) 

(It3b) 

(It3d) 

(It4b) 



Operational semantics of iteration 



Rule (Bl) states that basic processes can only leave its initial state by start- 
ing the execution of the corresponding bag. The duration of this execution will 
be greater or equal than the annotated minimum duration. Once this execution 
starts, the process will let time pass until its termination (rule (B2)). Then the 
basic action has finished its execution, what is represented by rule (B3). 

The synchronization is activated whenever its first argument becomes active 
(rule (SI)), but synchronization is not forced, so that G sy a can mimic all the 
behaviours of G (rule (S2b)). Rule (S2c) shows what happens when the process 
synchronizes with itself: The timed bags involved in the operation must have the 
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same real duration, and they join together in a new timed bag in which we have 
removed a pair of labels (a, a) such that each component is in a different multiset. 
Finally, the process finishes when its argument terminates, as indicated by rule 
(S3). All the rules can be applied on any equivalent state of G (rule (S2a)). 

Iteration rules define the behaviour of this syntactic operator. Control is 
transmitted from each argument to some other (either the next, or the same in 
the case of the second argument), until the last one terminates. More in detail, 
rules (It2c) and (It2d) state that once the entry condition has finished (first 
argument) we can choose between executing the loop body (second argument) 
or the exit condition (third argument). Rules (It3c) and (It3d) state that each 
time the second argument terminates, we can choose between executing it again 
or we advance to execute the last argument. 

4 Denotational Semantics 

The denotational semantics of any language is defined by means of a function 
which maps the set of its expressions into the adequate semantic domain. In this 
way we associate to each expression of the language an object which reflects its 
structure and behaviour. The denotational semantics of TPBC is based on timed 
Petri nets, whose transitions have a duration. A labelled timed Petri net, denoted 
by TPN, is a tuple (P, T, F, W, 6, A) such that P and T are disjoint sets of places 
and transitions] PC (P x P) U(T x P) is the set of arcs of the net; IF is a weight 
function from F to the set of positive natural numbers ]N^] i5 is a function from 
the transition set T to IN^ that defines the duration of each transition; and A is a 
function from PUT into a set of labels C. In our case, A maps elements in P into 
the set {e, i,x} and transitions in T into the set C = 'P{M{BA)\{0} x BA). 
Its intended meaning is the same as in PBC, that is, we consider that a net 
has three types of places: entry places (those with A(p) = e), internal places 
(those with A(p) = i), and exit places (those with A(p) = x). Moreover, each 
transition v is labelled with a binary relation A(u) C Ai{BA)\{0} x BA, whose 
elements are pairs of the form ({oi : c?i,a 2 : d 2 ,..., 0 'n : dn},cx : d). The 
informal meaning of such a pair is that the behaviour represented by the multiset 
{ai : di, a 2 ■ d 2 , ■ ■ ■ ,cxn ■ dn} will be substituted by the execution of the bag a 
with a minimum duration of d time units. The most usual binary relations are 
the following: 

1. Constant relation: pa-.d = { ({/? '■ d},a: d) }. 

2. Identity: pid = { ({a : d}, a : d)}. 

3. Synchronization: psyo is defined as the smallest relation satisfying: 

Pid C Psy a, 

- (P,a+ {a} : di), {A,P + {d} : ^ 2 ) G Psy a 

{F + A, a + (3 : max{di,d 2 }) G Psya- 

4. Basic relabelling: p[yj = { {{a : d}, f{a) : d) \ f{d) = f{a) Va G M }. 

5. Restriction: prs a = { {{ct : d}, a : d) \ a,d ^ a}. 

6. Hiding: p[a-._] = { {F, a : d) € Psy a \ a,d ^ a}. 
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As it is done in PBC, we distinguish two kinds of nets: plain nets, whose transi- 
tions are labelled with a constant relation; and operator nets, in which transitions 
are labelled with non-constant relations. 

Only plain nets will be marked, and therefore they are the only ones able to 
fire transitions. Due to this fact, it is not necessary to include time information 
in operator nets. The formal definitions are the following: 

Definition 3 (Timed plain net). A timed plain net N = {P,T,F,W,S,X) 
is a timed Petri net such that A : PUT — {e, i,x}U{pQ:d|a G A4{A),d G IN^} 
where \/p € P \{p) G {e, i, x} and Vu G T \{v) = pa-.d with S(v) = d. 

Definition 4 (Operator net). An operator net N is a labelled Petri net 
{P, T, F, W, A) such that A : PUT — > {e, i, x} UC where Wp G P \{p) G {e, i, x} 
and 'iv &T A(u) G C\{ pa,d \ ct G A4{A), d G IN^ }. 

To support the duration of transitions, markings of timed plain nets will 
be constituted by two components, and M^. represents the available 
marking of the net, that is, where the tokens are and how many of them are. 
M'^ is the multiset of transitions currently in execution, each one carrying the 
time units its execution will still take from now on. Formally speaking, if = 
{P,T, F,W,S, X) is a timed plain net, a marking M of is a pair (M^,M^) 
where G A4(P) and is a finite multiset of tuples in T x We say that 
a transition v is in M^, v G iff there is some d' G IV^ such that (v, d') G M^. 
In order to visualize the set of transitions in execution, and also simplify some 
results, it is useful to introduce the derived concept of frozen token. A place 
p G P is occupied by a frozen token iff there is a transition v € T such that 
(p,v) G F and v G In this case, if there exists only one value d' for v, 
we denote it by rem{v). Then we define the token-marking T{M) associated to 
M = (M^, M^) by T{M) = (M^, M^) where is the multiset of places defined 
by M {p) = ^ M‘^{v,d). In the following we will call available tokens 

(p,v)eF, deiN+ 

to the ordinary tokens in a marking in order to avoid confusion with frozen 
tokens. 

A marking M = (M^,M^) is safe if each place is occupied, at most, by one 
token, either ordinary or frozen. That is, Vp G P 

M^(p) -I- M^(p) < 1 

A safe marking M = {M^ , M^) is clean if the following conditions hold: 

• { yp€‘N M^(p) -t M^(p) / 0 (Vp G P A(p) / e ^ M^(p) -t M^(p) = 0) 

• (VpGA* M\p) AO) N* = 

In order to define the firing of transitions we need to know their real dura- 
tions. So, we consider timed transitions, which are pairs of the form (v, d') where 
V is a transition and d' G 1N~^ . Then we say that a multiset of timed transitions 
RT is enabled at a marking M if the following conditions are satisfied: 

• y(v,d')€RT d'>S(v) 

• VpGP M\p)> diT(v)-W(p,v) where RT(v)= E RT(v,d'). 

ueT d'eiN+ 
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Once we know when a multiset of timed transitions RT is enabled at a 
marking, the following firing rule defines the effect of its firing: 

Definition 5 (Firing rule). Let N = {P,T, F,W,S, X) be a TPN, and M = 
he a marking of N at some instant j 3 £ IN. If a multiset of timed 
transitions RT is enabled at M and its transitions are fired, then the marking 
M' = reached at the instant j 3 +\ is defined as follows: 

• Y. RT{v)W{-,v)+ Y RT{v)W{v,-)+ E M‘^{v,1)W{v,-) 

«eCo dgCi (d,i)sC2 

where 

Co = {v GT\ 3 d' G 1 N+, RT{v, d') > 0 }, Ci = { u G T | (u, 1 ) G RT }, and 
C2 = {{v,1)£TxN+\ M^{t, 1 ) > 0 }. 

• M'^ -.Tx 1 N+ — y N 
with 

M'R., R'i - f eRT A t^' = d'-l 

: M^(v, / 3 ' + 1 ) otherwise 

The step generated by the firing of a set of transitions RT is denoted by 
M[RT)M' . Step sequences are defined as usual, and the set of reachable markings 
in N from M is denoted by Reach{N, M). 

So, frozen tokens are those consumed by a transition in execution. Whenever 
that execution finishes they become available tokens in the postconditions of the 
fired transitions. 

4.1 A Domain of Timed Boxes 

Timed Petri boxes are equivalence classes of labelled timed Petri nets. A suitable 
equivalence relation should allow, at least, the derivation of identities such as 
those induced by associativity and commutativity of several operators, such as 
parallel composition or choice. Besides, this relation must allow us to abstract 
away the names of places and transitions; also it must provide a mechanism to 
identify duplicate elements in the nets. The relation that we propose is a natural 
extension of the one used in plain PBC, by adequately considering the temporal 
aspects of the nets, which means to preserve the duration of related transitions. 



Definition 6 (Structural equivalence). Being Ni = {Pi,Ti, Fi,Wi, Xi) and 
N2 = (P27 ?2, F2, W2, A2) two operator nets, they are said to be structurally 
equivalent (or just equivalent) iff there is a relation C (P^ U Ti) x (P2 U T2) 
such that: 

1 . t{Pi) = P2 and (p~^{P2) = P\, 

2. t{Pi) = T2 and ip~^{T2) = Ti, 

3 . \/{pi,P2),{vi,V2) £ T Wi{pi,Vi) =W2{P2,V2), Wi{vi,Pi) = W2 {v2,P2), 

4. If (xi,X2) £ (p then Ai(xi) = X2{x2), 

5 . Vui G 'Ti,r'2 G T2 |v 5 (i’i)| = 1 and \ip~^{v2)\ = 1 - 

Being Ni = (Pi, Ti, Pi, TTi, 5 i, Ai, Mi) and N2 = (P2, 72,^2, W2,d2, A2, M2) two 
marked timed plain nets, they are said to be structurally equivalent ( or just 
equivalent) iff there is a binary relation C (Pi U Pi) x (P2 U Tf) such that: 
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1~4- As before, 

5. If (vi,V 2 ) & f then Si{vi) = S 2 {v 2 ), 

6. If {pi,p 2 ) G p then Ml{pi) = Mf{p 2 ), 

1. If (vi,V 2 ) € p thenVd € IN^ Mf{vi,d) = Mf{v 2 ,d). 

There are several conditions that a net N has to satisfy in order to generate 
a timed box. First, we impose T-restrictedness which means that the pre-set 
and post-set of each transition are non-empty sets. Besides, we impose ex- 
restrictedness (there is at least one entry place and one exit place) and ex- 
directedness (pre-sets of entry places and post-sets of exit places are empty). All 
these assumptions are inherited from the untimed version of the calculus. 

Remark 7. Next we will only consider nets N satisfying the following conditions: 

• N is T-restricted: Vu G T 0 u*, 

• There are no side conditions : Vu G T *v Hv* = 0, 

• N has at least one entry place: *N y^ 0, 

• N has at least one exit place: N* y^ 0, 

• There are no incoming arcs to entry places and no outgoing arcs from exit 
places: *(*iV) = 0 A (fV*)* = 0, 

• iV is simple: Vp G P Vu G T W{p, v),W{v,p) G {0, 1}. 



Definition 8 (Plain and operator timed boxes). 

• A marked timed plain box B is an equivalence class B = [fV] induced by the 
structural equivalence over labelled nets, where N is a marked plain net. 

• An operator box fi is an equivalence class fi = [N] induced by the structural 
equivalence over labelled nets, where N is an operator net. 

Plain timed boxes will be the semantic objects to be associated with syntactic 
expressions, that is, the denotational semantics of an expression will be always 
a plain box. Its structural construction relies on operator boxes. Each semantic 
operator has a certain number of arguments (the same as the corresponding 
syntactic operator has) . By applying them to a tuple of arguments we can obtain 
a new plain box, using the refinement procedure which we will explain later. 

Next we define static and dynamic boxes. A plain box B is static if the 
marking of its canonical representative is empty (M^ = 0 A = 0), and the 
reachable markings from the initial one (*P, 0) are safe and clean. A plain box 
B = [{P, T, F, W, A)] is dynamic if the following conditions are satisfied: 

• The marking of its canonical representative is non-empty, 

• The plain box [(P, T, F, W, S, A, (0, 0))] is static, 

• The reachable markings from M are safe and clean. 

The set of static boxes is Box^, and the set of dynamic boxes is Box‘^. 

Plain boxes are classified in several classes depending on the type of tokens 
that they contain, and the labels of the places they are in. 
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Definition 9 (Classes of plain boxes). Let B = [(P, T, F, W, S, A, (M^, M^))] 
be a plain box. We say that B is a stable box if M'^ = 0; otherwise we say 
that B is unstable. If B is a stable box, then we say that it is an entry-box if 
= *B; an exit-box if = B* ; and an intermediate-box, otherwise. All 
these classes are denoted by Box^* , Box'^^* , Box^ , Box^ , Box^, respectively. 

For operator boxes we need the additional property of being factorisable. In 
order to extend this notion to the timed case we first present the concept of 
(reachable) marking of an operator box. In this case it is enough to know how 
available and frozen tokens are distributed. By means of them we define which 
arguments of the operator are stable and which ones are in execution. 

Definition 10 (Markings of operator boxes). Being 17 = [{P,T, F,W, X)] 
an operator box, a marking M of 12 is a pair {M^, M^) G Ai(P) x A4(P). 

In the definition above represents the multiset of available tokens, while 
defines the set of places where we have frozen tokens. 

Definition 11 (Reachable markings of operator boxes). Let 

Q = [{P,T,F,W,X)] be an operator box. We say that a multiset of transition 
RT G A4(T) is enabled at a marking M if the following condition is satisfied: 
Vp G P (p) > E RT{v) ■ W{p, v) 

v£T 

The set of reachable markings of f2 after the firing of RT is defined as the 
set of markings (M'^,M'^) such that: 

- M'^ =M^ - Y, RT{v) ■ W{-,v) + Y W(v, -) 

v£T v£C 

- M'^ = + RT - C where C C U RT. 

Available tokens indicate the arguments of the connective which are in stable 
form (that is, they have no executing transition), while frozen tokens say us the 
ones that are currently in execution. The condition of factorisability tries to cap- 
ture these distributions of tokens. Basically, it means that when a postcondition 
(precondition) of a transition is marked, all its postconditions (preconditions) 
must be also marked with tokens of the same type. To define the condition three 
sets of transitions are considered, one for frozen tokens and two for available 
tokens. This distinction is necessary because frozen tokens are always placed 
in the preconditions of the transitions in execution, while available tokens can 
either be consumed by the firing of a transition or obtained as a consequence of 
the execution of another transition. 

Definition 12 (Factorisability). Let f2 = \{P,T,F,W,X)] be an operator box 
and M = (M^,M^) be a marking of f2. A factorisation of M is a triple of 
sets of transitions T> = such that the following conditions hold: 




We say that f2 is factorisable iff every safe marking M G Reach{f2, (*17, 0)) 
satisfies that for every set U of transitions enabled at M , there is a factorisation 
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<P = of M such that U C <Pi. In the following, the set of faetorisa- 

tions of fi is denoted by fact^, and we will use <P to denote U ^2 U 

If factorisability were violated, the marking of an operator box could not 
be distributed over its arguments. Indeed, when factorisability is violated there 
must be a token (available or frozen) which neither can have been produced by 
the firing of any transition, nor enables by itself any marking; otherwise all the 
preconditions or postconditions of the involved transition would be marked. 

Now we can finally define operator boxes: 

Definition 13 (Acceptable operator boxes). Let {P,T, F,W, X) be an op- 
erator net satisfying the requirements in Remark^ The equivalence class fl — 
[(P, T, F, W, A)] is an acceptable operator box if it is factorisable, and all the 
markings reachable from (*17, 0) are safe and clean. 



Q- ^p.,g i ^Q Ch |P"» h O C m p[»:-i | ~^0 CM | pw m C 



The denotational semantics of the algebra is defined in Figure 1. From left 
to right and top to bottom, we show the semantics of: basic actions (a : d, 

a : d, a : d, d' and a : d ): disjoint parallelism (-||_), sequential composition (_; _), 
and choice (-□-); synchronization (_sy a), restriction (_rs a), hiding ([a : _]), 
basic relabelling (_[/]) and iteration ([_*_*_])• In this figure, frozen tokens only 
appear in the semantics of a : d, d' , where the corresponding marking is given 
by = 0 and = {{a,d')}. 

4.2 Refinement 

Refinement is the mechanism to obtain a plain box opn{Bi, B 2 , ■ ■ ■ , Bn) from 
a given operator box 12 and a tuple of plain boxes (Pi, P 2 , ■ ■ • , Bn). The basic 
idea is that every transition of the operator box is replaced by one element of 
the tuple {Bi, B 2 , . . . , B„), where we have previously done the changes indicated 
by the label of the transition. 

In the static case, when the involved boxes are unmarked, the mechanism 
followed is the same as in plain PBC. The same happens when frozen tokens are 
not involved. We will just comment how it works in the remaining case. 




e 



e 





Fig. 1. Denotational semantics of TPBC 
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When frozen tokens appear the refinement basically involves the same struc- 
tural changes as those in plain PBC P2E1- However this procedure has been 
slightly modified with two purposes. First, we avoid the existence of arcs with 
a weight greater than one, which in fact were useless, since they only increase 
the size of the obtained box, without allowing new firings. The second and more 
important aim is the inclusion of time. The underlying intuition is that any 
transition in execution in a box remains the same when this box is “mixed” 
with some others, unless it proceeds from a synchronization, in which case the 
synchronized transitions can be considered in execution. 

The following definition of the refinement domain reflects the fact that each 
operator box is a partial operation from plain boxes to plain boxes. 

Definition 14 (Refinement domain). Let 17 = {P,T, F,W, X) be an operator 
box with n arguments. The domain of application of 17, denoted by doma, is 
defined by the following conditions: 

1. It comprises all the tuples (By ^ , By ^ , . . . , By ^ ) of static plain boxes, 

2. For every factorisation of fl, <P = G fo-da, it comprises all tuples 

of boxes B = {By ^ , By .^ , • . • , By^ ) such that: 

• Vu G By G Box^ U Box'- , 

• G <p2 By G Box^^*, 

• 'iv G<T^ By G Box^ , 

• \/v G T\3 By G Box’^ . 

<I>i indicates which transitions will be replaced by boxes that contribute with 
stable non-final markings; ^2 represents the transitions corresponding to unsta- 
ble boxes; 1^3 denotes the transitions instantiated by boxes with terminal mark- 
ings, and T\<I> are the remaining transitions, that is, those which contribute with 
empty markings to the generated plain box. 

In order to simplify the formal definition of refinement, we assume that in 
operator boxes all place and transition names of their canonical representatives 
are primitive names from Pop and Top, respectively. We shall further assume that 
in basic plain boxes, that is, in the denotational semantics of basic actions, all 
places and transitions have primitive names from, respectively, Pbox and Tbox- 
As we will see, when we apply this mechanism, we have as names of the newly 
constructed places and transitions labelled trees in two sets which are denoted 
by Ptree and Ttree, respectively. These trees are defined in a recurrent way and 
then each subtree of such a tree is also in the corresponding set. 

Next we define a collection of auxiliary concepts which will be later used in 
order to adequately define the frozen tokens of any net obtained by refinement. 

Definition 15. If q — l{q\, ■ ■ ■ ,qn) G Ttyoei where I is the label of its root and 
qi,. . . ,q„ are the root’s sons, we say that each qi is a component of q. In the 
following, we will denote the set of components of q, {qi, . . . ,qn}, by comp{q). 

Definition 16. Given Ti,T 2 C Ttygo, we say that dec : Ti — > T 2 x IN is a 
decomposition of Ti iff the following condition holds: 

Vg G Ti dec{q) = {l{qi, ...,qn),k) with qu = q 
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dec is a consistent decomposition iff the following condition is satisfied: 

Vg' = l{qi , . . . , g„) G T 2 {3k £ IN 3q £ Ti,dec{q) = {q' , k)) 

=> (Vfc G l..n 3q G Ti,dec{q) = {q' , k)) 

Finally, if B = [{P,T,F,W,5,X,{M^,M“^)] is a timed plain box, Ti C T, and 
dec : Ti — > T 2 x IN is a decomposition of Ti, we say that dec is a timed 
consistent decomposition iff the following condition holds: 

Vg' = l{qi, ■ ■ ■ , g„) G T 2 {3k£ N3q£ Ti,dec{q) = (g', k)) 

(3c? G -2V“*' V/c G l..n 3q£T\, (g, d) G A dec{q) = (g', k)) 
The formal definition of refinement is the following: 

Definition 17 (Refinement). Let f2 = [{P,T, F,W,X)] he an operator box, 
and for each v £ T By = [{Py,Ty,Fy,Wy,Sy,Xy,{Mf,Mf))] be a timed plain 
box. Under the assumptions above on fi and B = {By ^ , By .^, . . . , Byff), the result 
of the simultaneous substitution of the nets By. for the transitions in Q is any 
plain timed box whose canonical representative is a timed plain net 

opr2(l) = (Po, To, Fo, VPo, <5o, Ao, {M^,M^)) 

defined as follows: 

1. Places, their labels and markings: The set of places, Pq, is given by 

^^0 = ( U 

\veT 

where the sets IPf^w defined as follows: 

— For each v £ T, IPfgy, is the set of places {v.py \py internal place in Py}. 

The label of all these places is i and their marking is given by Mf{py). 

- Let p £ P with *p = {vi,V 2 , ■■.,Vk} and p* = {vk+i,Vk+ 2 , ■ ■ .,Vk+m}- 
Then, OPifgy, is the set of places p{vi <ipi, . . . , Vk+m < Pk+m) where 

Pi£{Py,r ViG{l,...,fc} 

Pi £ ‘(Pvi) Vi G {fc + 1, . . . , fc + m}. 




Each one of these places will be labelled by X{p) and its marking is 
+ My^{p2) + . . . + My^_^^{pk + m)- 

Transitions, their labels and durations: The set of transitions Tq is 
defined by 

7-1 _ I I rpv 

-^0 ^ new 

v^T 

where for each v £ T the set Tf^y, is obtained as follows: Whenever we have 
a pair of the form ({A(gi) : c?i, A(g 2 ) : c? 2 , • ■ • , A(g„) : c?„}, a : d) £ X{v) for 
qi £ Ty, and the following condition holds: 

'ii,j £ {l,...,n}iff j => {*qi n* qj = 0) A (g* n g* = 0), 

a new transition v.a{q\, . . . , qn) is generated. Lts duration is d and its label is 
a. Ln the following, we will denote the transition v by root{vo). 
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3. Set of arcs: For each transition vq in Tq, the set of arcs leaving or reaching 
Vo in Fo are those obtained as follows: 

• PO ^ h 

( if 3qi G comp{vo), {Pv,qi) G then (po, vo) G Fo 
\ if 3qi € comp{vo), Wv{qi,Pv) = 1 then (vo,Po) G Fo 

• Po G 

f if 3i e {1, . . . , fc + m} A 3qj € comp{vo), (pi, qj) G F„ then (po, vo) G Fo 
\ if 3i £ {1, . . . , fc + m} A 3qj G comp{vo), (qj,Pi) G F„ then (uo,Po) G Fo 

The weight function returns 1 for all the arcs in Fq. 

4- Transitions in execution (frozen tokens): The frozen marking Mg will 
he defined as the union of a collection of submarkings Mq ^ with v GT. As a 
matter of fact, each will be not defined in a unique way and therefore we 
will have several possible frozen markings Mq. This is justified for technical 
reasons, since once we prove the equivalence between the operational and the 
denotational semantics, we obtain as a consequence that all the different boxes 
defining the denotational semantics of an expression are in fact equivalent. 
Thus, we could also select any of the possibilities to obtain a function instead 
of a relation, but if we would do it in this way the definition would be much 
less readable. 

Then, in order to get a value for each Mg j, we consider any timed consistent 
decomposition dec : — > Tg x IN, and we take as Mg ^ 

= {q GTo\3q€ Ml, dec{q) = q } 

where for each q' G Mg ^ we take rem{q') = rem{q). 



Theorem 18. 

1. Every step sequence of the operational semantics of G is also a step sequence 
of any of the timed plain boxes corresponding to G. 

2. Every step sequence of any of the timed plain boxes corresponding to G is also 
a step sequence of the operational semantics ofG. 

Proof. It follows the lines of that for plain PBC |TCT?] with the changes needed 
to cope with time information (see |S|). Unfortunately, even the original proof 
is so long and involved that even it is not possible to sketch it here. It would 
be nice to comment at least the necessary changes to extend the proof, but this 
is neither possible since they are both local and distributed all along the proof. 
Therefore, we will only justify here why we need nondeterminism in the definition 
of the denotational semantics. This is needed in order to preserve a one to one 
relation between the evolution of the expressions and that of their denotational 
semantics, since there are some expressions which evolve to the same one after 
the execution of different multibags, but the same is not true for the evolution 
of a single box. 
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5 Example: A Producer/Consumer System 

In this section we present an example that models the producer/consumer system 
with a buffer of capacity 1. The system describes the behaviour of a simple 
production line which involves two workers. A conveyor belt is between them, 
so it can hold any item that has been produced by the first worker and has to 
be consumed by the second. 

The given specification consists on three components that are combined to 
obtain the TPBC expression of the system: the producer system, the consumer 
system and the conveyorBelt system. The timing assigned to them reflects a set of 
hypotheses about the production and consumption speed and the characteristics 
of the conveyor belt. 

• producer = [({a, b} : 1) * ((p : 2); (pb : 1)) * ({-la, -.b} : 1)] 

• consumer = [({a, b} : 1) * ((gb : 1); (c : 1)) * ({-7a, -.b} : 1)] 

• conveyorBelt = [Gi* [(pT : 1) * ((gb : 1; gTj l)0(g''b : 1; pT : 1)) * (gT : 1)]* G 2 ] 
where Gi = ({b, b} : 1) and G 2 = ({^b, -ib} : 1) 

• system = (((producer||consumer)sy A||conveyorBelt)sy B)rs(A U B) 
where A = (a, -ia} B = {b, -ib, pb, gb} 

The meaning of the actions is the following: 

p: Produce an item, 

c: Consume an item. 

Pb: Put an item into the conveyor belt, 

gb: Get an item from the conveyor belt. 

b, -lb: Activate and deactivate the running of the conveyor belt. 
a,-ia: Activate and deactivate the production/consumption of items. 

Figure 2 shows the denotational semantics of producer and consumer expressions. 
The construction of the boxes corresponding to conveyorBelt and the full system 
expressions can be completed in the same way, but due to lack of space we can 
not show the obtained nets. You can check by hand the equivalence between the 
operational semantics of the given expressions and those of the obtained nets. 




Fig. 2. The producer/consumer problem 



6 The Time-Constraining Operators 

The previous sections describe a simple timed extension of the basic model where 
we need not to introduce any new operator. Note that due to rules (VI) and 
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(V2), processes can let time progress indefinitely. More precisely, for any over- 
lined or underlined process time passes without causing any change of the state, 
out of the fact that processes become stable after finishing their pending actions. 

This property, called unlimited waiting, is not too useful from a practical 
point of view. We need to introduce some kind of urgency in the formalism; 
otherwise, the expressive power of TPBC would be limited to specify very simple 
systems. Therefore, in this section we will add to our model some new features 
that force systems to evolve, namely timed choice and time-out with exception 
handler. 

6.1 Timed Choice 

Timed choice constraints an action to occur at some instant of a given interval 
[to,ti\. That is, a so restricted action cannot begin its execution either before to 
or after t\. The static expression used to implement this behaviour is : d, 

where a € M{A), to G IN, d G IV*', and ti G 1N~'~ U {oo}. 

Depending on the values of to and t\ there are three particular cases of timed 
choice. A rough description of each one is as follows: 

1. Finite delay: It corresponds to expressions of the form : d, where 

to yf 0 (note that processes of the form : d will be just equivalent to 

a : d.) When such an expression gets the control of the system, it delays the 
execution of the action a : d for at least to time units. 

2. Time-out: It is obtained when to = 0 and ti yf oo. If a process of the form 
Q,[o,ti] . ^ jg activated, the beginning of the execution of a : d cannot be 
postponed more than ti units of time. 

3. Time-stamped actions: We say that an action is time-stamped when its 

execution is enforced to start at a given instant. The corresponding static 
expressions are : d with to yf oo, which we will usually syntactic sugar 

by : d. 

Now, activated timed choices need to have information about the passage of 
time over the system components. More exactly, it is necessary to know for how 
long a timed choice has been activated, in order to restrict the beginning of the 
execution of the corresponding action. Until now, dynamic expressions only give 
us information about the global state of processes, in such a way that an external 
observer is able to determine whether a process has pending actions or not, but 
there is no way to obtain quantitative information about time aspects, unless 
the observer knows the full history of the process. 

With the purpose of avoiding this limitation, we introduce a temporal an- 
notation over both overlined and underlined expressions. In the first case, the 
new clock tells us for how long the process has been activated, while in the sec- 
ond case it tells us how long ago the process finished. This annotation will be 
included as an index close to the corresponding bars. 

Due to these modifications, the operational semantics previously defined must 
be changed. In particular, any clock of the system needs to be updated when 
time progresses. This is done by means of new rules (VI) and (V2): 

e" ^ E^^" (VI) E, ^ (V2) 
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Table 1. New transition rules with time information 



a : d 



EOF 

E sy 
E rs 



[a:E] 

Wf < 



a ■ d,d' — 


1 d' > d (Bl) a : d,0 


e'iIF" 


(Pci) EJF,, 


E^-F 


(Scl) E,-,F< 




e-,f,^e-f,^ 1 


■ E^aF 


(Chla) EDf'" 


■ EOF^ 


(Ch2a) EDPj, 


rL sy a 


(SI) Ei,syc 



E rs a 
[a ■. e'^] 



> aj_dg 

E\\F 

e.f'^ 



mi7i{k,k'} 



(Sc5) 



(Rsl) E_f. rs a 
(Spl) [a : E^^] ■ 
(Rll) E,[f]^ 



> Eof'" 

> EDE fc 
— >■ E sj 
->• E rs a ,, 

E[fL 



(B3) 

(Pc3) 

(Sc3) 

(Chib) 

(Ch2b) 

(S3) 

(Rs3) 

(Sp3) 

(R13) 



[E*F*E']^ 

[Ei^*F* E'] i — )■ [E*F‘‘ * E'] 
[E*F^* E'] i — [E*F‘‘ * E'] 
[E^F*e^] 



i — )■ \e'" *F* E'\ (Itl) 

(It2c) [E^*F* E'] i — [E*F* W'"] (It2d) 
(It3c) [E*F^* E'] i — [E*F* W’"] (It3d) 
^ — >[E*F*E']^ (Its) 



In addition to this, we have to modify most of the rules concerned with control 
transmission. The resulting rules are those shown in Table P and the reason- 
ing supporting them is straightforward. Next the definition of the operational 
semantics of timed choice, which is shown in Table 0 Rule (TChl) states that 
such a process can perform the empty timed bag at any time. In order to restrict 
the execution of the action a : d, the value k of the system clock is compared 
with the limits of the interval If ^ ^ ^ we can apply rule (TCh2), 

which establishes that the corresponding (activated) timed choice, ; d ^ 

can perform the timed bag {ad'}- Afterwards, rules (TCh3) and (TCh4) de- 
fine the expected behaviour: The remaining execution of {ad'} is hidden to the 
observer, who only sees the passage of time (rule (TCh3)). When the action 
terminates, the process is underlined and the value of its clock is reset to zero 
(rule (TCh4)). 

6.2 Time-Out with Exception Handler 

By means of the timed choice operator just introduced, we are able to limit 
the time at which a process will be able to start its execution. If this time is 
exceeded, the process dies, and there is no way to express that some alternative 
continuation will be activated. In order to get this, we introduce a new operator 
called time-out with exception handler. This operator has two arguments, E, F G 
Expr’^ , and a parameter to € IN^ . E is called the body and F the exception 
handler of the time-out. 
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Table 2. Operational semantics of timed choice 

a[‘o,til : / aI‘o,til : (TChl) 

a[*o.‘iTTXrf' - 1 if fc > to, fe < ti and d' > d (TCh2) 
aI‘o^t^d, d' ^ aftO’^iTT^Td' - 1 if d' > 0 (TCh3) 

d, 0 < — ^ (TCh4) 



When a time-out with exception handler gets the control, it behaves as its 
body whenever it begins to perform actions before the instant to; otherwise, after 
time to, the process behaves as defined by its exception handler. 

The static form of a time-out with exception handler is [E\*°F. The possible 
dynamic forms are equivalent to either with t > —1, or \E\*'°'~^G. In 

both cases, the expressions include two temporal annotations. The former is the 
parameter of the time-out and it is immutable, that is, it does not change during 
the execution of the process. If t is the value of the latter, this means that the 
exception handler F will be activated within t time units, unless the body of the 
time-out begins its execution before, t is set to -1 when either the body of the 
time-out has begun to execute its first action before to or that limit has been 
exceeded without performing any non-empty transition of F. The operational 
semantics reflecting these ideas is shown in Table El 

Rules (Tela) and (Telb) state that we have two cases depending on the 
elapsed time from the activation of the process: If fc < to then the body gets the 
control of the system, and it has to~k time units to execute its first action (rule 
(Tela)). Otherwise, the exception handler of the time-out is activated, just as 
rule (Telb) states. Rule (Te2aj3 shows how the passage of time affects this class 
of processes. Notice carefully that control is transmitted according to the second 
temporal annotation, so the first argument remains active as long as t > 0. 
Otherwise, the body has totally consumed its disposal time and the exception 
handler is activated. The performance of actions is formalized by means of rules 
(Te2b), (Te3b), and (Te4b), whose explanation is straightforward. They can 
be applied on any equivalent form of the arguments (rules (Te3a) and (Te4a)). 
Finally, a time-out with exception handler finishes its execution when either its 
body or its exception handler terminates (rules (Te5a) and (Te5b)). 

6.3 Remarks on Denotational Semantics 

Denotational semantics of the time-constraining operators can be found in Ej. 
Plain nets have been modified by adding temporal restrictions to tran- 

sitions, and labelling the available tokens in the net with their age. Then, a 
modified firing rule uses this information, in such a way that a transition v 
restricted by can only consume tokens younger than ti. 

^ Predicate Init(G) (see El) returns true if and only if G is equivalent to some 
overlined expression H. 
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Table 3. Operational semantics of the time-out with exception handler 









if fc < to 



(Tela) 



i^(fc to 1) ^ ^ (Telb) 



G- 



>G' Init(G) A t > 1 






(Te2a) 



G-^G' r 7 ^ 0 Init(G) A t > 0 
G^G' 



LGJ‘“’‘F A- 




G^G' 


-iInit(G) 


O 




G- 


^G' 




« — > [AJ*0’-iG' 


G- 


^G' 



LAJ‘“’-iG— 













(Te2b) 



(Te3a) 



(Te3b) 



(Te4a) 



(Te4b) 

(Te5a) 

(Te5b) 



As a consequence, we obtain that a transition generated by synchronization 
is enabled at a marking M if and only if all its component transitions would be 
enabled. This is also true even if any of these components have been removed 
by application of a restriction operator. This is probably the most important 
difference between our model and that in There the author had to intro- 
duce illegal action occurrences in order to reflect some (intuitively undesirable) 
synchronizations whenever they become executable in the box defining the de- 
notational semantics of an expression. This happens when the application of 
a restriction operator removes some timing restrictions which made that the 
synchronization was non-executable before the application of the restriction op- 
erator. 

Although in that paper the author does not explain why he decided to get 
the equivalence between both semantics by allowing the execution of impossible 
synchronizations, we assume that he wants to maintain that equivalence result 
without changing too much the ideas of untimed PBC. As a consequence, it is 
not possible to avoid the flreability of those impossible synchronizations. To do 
it, it is mandatory the introduction of age information in the tokens, as we have 
done in our model. So, we have to pay the price of a more complicated model, 
but as a reward we avoid those undesirable transitions. 
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7 Conclusions and Work in Progress 

In this paper we have presented a new proposal to introduce time in PBC, 
preserving the main ideas of this model as far as possible. In the discussed model, 
called TPBC {Timed PBC), processes execute actions which have a duration. 

The work by Koutny ^ has been somehow completed by considering an 
alternative model. More importantly, we have defined a more involved model in 
order to avoid the generation of undesired transitions. This cannot be done if 
we just work with plain time Petri nets since these are not prepared to support 
the correct definition of some time operators such as urgency. 

As work in progress, currently we are introducing in the calculus new features 
enhancing its time characteristics, mainly maximal parallelism and urgency. An- 
other line of research concerns not only TPBC but also the original PBC. In 
order to exploit these Petri box calculi, we are working on the axiomatization of 
the semantics, as it is done in the framework of process algebras. Once we will 
get the equations in this axiomatization, we will try to interpret them at the 
level of Petri nets, obtaining a collection of basic correct transformations. We 
are sure that this will be a fine way to exploit the facilities of both PBC and 
TPBC. 
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Abstract. The paper deals with verihcation of untimed branching time 
properties of Time Petri Nets. The atomic variant of the geometric region 
method for preserving properties of CTL* and ACTL* is improved. Then, 
it is shown, for the first time, how to apply the partial order reduction 
method to deal with next-time free branching properties of Time Petri 
Nets. The above two results are combined offering an efficient method for 
model checking of ACTLLx ^nd CTLLx properties of Time Petri Nets. 

1 Introduction 

Model checking is one of the most popular methods of automated verification of 
concurrent systems, e.g., hardware circuits, communication protocols, and dis- 
tributed programs. However, the practical applicability of this method is strongly 
restricted by the state explosion problem, which is mainly caused by representing 
concurrency of operations by their interleaving. Therefore, many different reduc- 
tion techniques have been introduced in order to alleviate the state explosion. 
The major methods include application of partial order reductions jPel9ti|Val89j 
IW(A),3] . symmetry reductions jbShtij . abstraction techniques [DGG94], BDD- 
based symbolic storage methods [Bry86] , and SAT-related algorithms [BGGZ99] . 

Recently, the interest in automated verification is moving towards concurrent 
real-time systems. Two main models for representing such systems are usually 
exploited: timed automata [AD94], and Time Petri Nets [bta,91)j . The properties 
to be verified are expressed in either a standard temporal logic like LTL and 
GTL*, or in its timed version like MITL [AFH96], and TGTL [AGD90]. 

Most of the efficient reduction techniques exist for linear time formalisms. 
For verification of concurrent systems this is maybe sufficient, but evidently is 
not for verification of timed and multi-agent systems. If one reviews the existing 
verification methods for multi-agent systems [Ikodllj . then it is easy to notice 
that most of them rely on translating the formalisms to branching time temporal 
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logics (see description of Nepi, KARO, HSTS in Esnm). This is one of new 
important motivations for considering reduction methods for branching time 
properties. 

The present paper deals with verification of untimed branching time temporal 
properties of Time Petri Nets. Since Time Petri Nets have usually infinite state 
spaces, abstraction techniques [DGG94] are used to represent these by finite 
ones. To reduce the sizes of abstract state spaces partial order reductions are 
used. The main contribution of the paper relies on: 



— improving the variant of the geometric region method for defining 

abstract state spaces preserving properties of GTL* and AGTL* such that 
the structure of a verified formula is exploited, 

— showing, for the first time, how to extend the po-reduction methods of 

to deal with next-time free branching proper- 



iHMaHiis [MnasiK] isKtHHini 



ties of Time Petri Nets, 

— combining the above two results offering an efficient method for model check- 
ing of AGTLdx and GTLlx properties of Time Petri Nets. 



The rest of the paper is organized as follows. Section |2| reviews the existing 
results. In Section |3 Time Petri Nets and concrete state spaces are introduced. 
Temporal logics of branching time are defined in Section ^ Atomic and pseudo- 
atomic state spaces are described in section]^ A partial order reduction method 
is presented in SectionEl The next two sections contain experimental results and 
conclusions. 



2 Related Work 

Our approach to abstract state spaces of Time Petri Nets improves the one of 
which is a refinement of the method of [BD91 JnIM| . As far as we know 
this approach gives much smaller state spaces than the region graph method of 
[AGD90]. So far partial order reductions have been defined only for linear time 
properties either for Time Petri Nets |YS97ILil99| or for Timed Automata of 
standard IPag96IDGKK^ or local semantics [T3.1TjW98 IMin99j . Our approach 
is closely related to [IDGKK9^ . from which we draw the idea of the covering 
relation, and to )ClKPP99lkSclK00| . from which we take the general method of 
partial order reductions preserving branching time properties. 

The partial order approach presented in IVT^ works for Time Petri Nets 
and TGTL, but due to a very restrictive notion of visibility (all the transitions 
easily get visible) is of a rather restricted practical value. 

3 Time Petri Nets 

Let Q”*" denote the set of non-negative rational numbers. 

Definition 1. A Time Petri Net (TPN, for short) is a six-element tuple N = 
{P,T, F, Eft, Lft^mo), where 
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— P = {pi,p 2 , ■ ■ ■ ,Pm} is a finite set 0 / places, 

— T = {ti,t 2 , ■ ■ ■ , tn} is a finite set of transitions, 

— F C {P X T) U {T X P) is the flow relation, 

— Eft, Lft : T — > Q+ are functions describing the earliest and the latest 
firing times of the transitions such that Eft(t) < Lft{t) for each t G T, and 

— nio P is the initial marking of N. 

We need also the following notations and definitions: 

— pre{t) = {p G P \ (p,t) G i^} is the preset oftGT, 

— post{t) = {p G P \ {t,p) G F} is the postset oit GT, 

— A marking of N is any subset m C P, 

— A transition t is enabled at m {m[t >, for short) if pre{t) C m and post{t) fl 
(to \ pre{t)) = 0; and leads from marking to to marking m! (m[t > rn!), 
where to' = {m\pre{t)) Upostft). 

— Let en{m) = {t GT \ m\t >}. 

For the ease of the presentation we consider TPNs without self-loops, i.e., we 
require that pre{t) fl post{t) = 0 for all t GT. 



3.1 Concrete State Spaces of TPNs 

A concrete state cr of iV is an ordered pair (to, clock), where to is a marking and 
clock is a function T — > , which for each transition t enabled at to gives the 

time elapsed since t became enabled most recently. Therefore, the initial state 
of fV is (To = (too, clocko), where toq is the initial marking and clockoit) = 0 for 
each t G T. The states of N change when time passes or a transition fires. In 
state cr = (to, clock), time r G can pass leading to new state cr' = (to, clock') 
provided clock{t) -I- r < Lft{t) for all t G en{m). Then, clock' (t) = clock{t) + r 
for alH G T (denoted clock' = clock + r). 

As well, in state a = (to, clock) transition t G T can Are leading to new state 
a' = {m', clock') (denoted t(a)) if t G en(m) and Eft{t) < clock{t) < Lft{t). 
Then, to' = TO[t > and for all m G T: 

— clock' {u) = 0, for u G en{m') \ en{m\pre{t)), 

— clock'{u) = clock{u), otherwise. 



Notice that firing of transitions takes no time. Let a ^ a' denote that a' is 
obtained from a by passing time r and firing transition t. We write cr A- cr' or 

(r,t) 

(7 —>■ cr' if there is r and t such that a a' . A run of N is a maximal sequence 

of states and transitions p = ag ^ a\ ^ (J 2 . • .. A state a' is reachable 

from (To if there is a run p and i G N s.t. a' = Oi. 



Definition 2. Let C be the set of all the states reachable from (Tq. The concrete 
state space of N is the structure Cn = (C, — >■, (Tq). 




326 



W. Penczek and A. Polrola 



Notice that the structure Cn can be infinite, but all its runs are discrete, i.e., 
each state contains at most one successor within a run. This property allows to 
use these structures as frames for our branching time temporal logics (subsets 
of CTL*). 

Separating passing time and firing a transition leads to a different notion of 
(dense) concrete state spaces, which could not be directly taken as frames for 
CTL*. It would be, however, possible to reinterpret CTL* over these frames, but 
this problem goes beyond the scope of the paper. 



4 Branching Time Logics: CTL* and ACTL* 

Syntax of CTL* 

Let PV be a finite set of propositions. First, we give a syntax of CTL* and then 
restrict it to standard sublanguages. The set of state formulas and the set of 
path formulas of CTL* are defined inductively: 

51. every member of PV is a state formula, 

52. if ip and ip are state formulas, then so are -u/?, pM ip and p /\ip, 

53. if (/? is a path formula, then Kp is a state formula, 

PI. any state formula p is also a path formula, 

P2. if p, Ip are path formulas, then so are p Aip, pV pj, and -ip, 

P3. if p, Ip are path formulas, then so are Xp, G:p, Until((/?, pj), and Until(i^, pj). 

The modal operator A has the intuitive meaning “for all paths”. Until denotes 
the standard Until and Until is the operator dual to Until. CTL* consists of the 
set of all state formulae. The following abbreviations will be used: Vp = -lA-up, 
Yp'^M Until(true, (/?). 

Sublogics of CTL*. 

ACTL*. Negation can be applied only to subformulas that do not contain modal- 
ities. 

ACTL. The sublogic of ACTL* in which the state modality A and the path 
modalities X, Until, Until, and G may only appear paired in the combinations 
AX, AUntil, AUntil, and AG. 

CTL. The sublogic of CTL* in which the state modality A and the path modal- 
ities X, Until, Until, and G may only appear paired in the combinations 
AX, AUntil, AUntil, and AG. 

LTL. Restriction to formulas of the form Ap, where p does not contain A. We 
usually write p instead of Ap if confusion is unlikely. 

L_x. The sublogic of L G {CTL*, ACTL*, ACTL, CTL, LTL} without the 
operator X. 
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Semantics of CTL* 

Let be a finite set of labels and PV be a set of propositions. A model for 
CTL* is a pair (F, V), where F = (S', i?, t°) is a directed, rooted, edge-labeled 
graph with node set S, and initial node iP G S, R C S x E x S, while F is a 
valuation function V : S — > 2^^ . The edge relation R is assumed to be total; i.e. 
Vu a u — > V. The labels on the edges in the definition of the graph are only 
used in the sequel for the benefit of the description of the suggested algorithm, 
but are ignored by the interpretation of the temporal logics. We assume that 
F is deterministic, i.e., \/u,v,v',a if u — > v and u — > v', then v = v' . For 
finite graphs the determinism is imposed by renaming all the copies of each non- 
deterministic transition. If the original set of labels was E, the new set is called 
Er- Totality is ensured by adding cycles at the end nodes. 

Let M = {F, V) be a model and let tt = soQoSi • • • be an infinite path of F. 
Let TTi denote the suffix • • • of tt and 7r(i) denote the state Si. Satisfaction 

of a formula ip in & state s of M, written M, s |= or just s ^ is defined 
inductively as follows: 

51. s \= q iS q G F(s), for q S PV, 

52. s 1= -<p iff not s\= p, s\=p/\4’iEs\=p and s\= ip, 
s\=p\/ipiEs\=pors\=ip, 

53. s (= Ep iS. -K \= p for every path tt starting at s, 

PI. -K \= p iS. So \= p for any state formula p, 

P2. 7T 1= -<p iff not -K \= p, 7r|=(/:A'0ifF7r|=:^ and tt \= ip, 
T:\=p\/ipiS.'K\=pov'K\=ip, 

P3. 7T 1= Xp iff 7Tl \= p 

7T ^ Gp iff TTj \= p for all j > 0. 

7T ^ Until((/j, Ip) iff there is an i > 0 such that iTi \= ip and tTj ^ p for all 

0 < j < L 

TT ^ Until(:/5, Ip) iff for alH > 0 (tt^ \= ip or there is j < i such that ttj ^ p). 

4.1 Distinguishing Power of ACTL* and CTL* 

Let M = ((S', R, i),V) and M' = ((S', R' , i'),V) be two models. 

Definition 3 ((Simulation [GL91J )). A relation '^s G S' x S is a simulation 
from M' to M if the following conditions hold: 

1. b' h 

2. if s' '^s s, then V'{s') = P(s) and for every si such that s — >■ si, there is 

such that s' A and Si. 

Model M' simulates model M (M' '^s M) if there is a simulation from M' 
to M . Two models M and M' are called simulation equivalent if M M' 
and M' M. Two models M and M' are called bisimulation equivalent if 
M M' and M' M , where is the inverse o/'^g. 
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Theorem 1 (( |GL91| .[BCG88]')h Let M and M' he two (hi-) simulation 
equivalent model^, where the range of the labeling funetion V and V is 2^'^ . 
Then, M,i \= ip iff M',d \= ip, for any ACTL* (CTL* , resp.) formula ip over 
PV. 

The reverse of this theorem, essentially stating that no coarser (bi-)simulation 
preserves the truth value of ACTL* (CTL*, resp.) formulas, also holds and can 
be proved by an easy induction, when M and M' are finitely branching UKEng. 

5 Abstract State Spaces of TPNs 

Since the concrete state space Gjv of a TPN can be infinite, it cannot be directly 
used for model checking. We need to define its finite abstraction, i.e., another 
structure, which is finite and preserves all the formulas of our logic. This task 
is performed in the following way. First, we give a general definition of abstract 
state spaces. Next, we recall the notion of geometric state regions [BD91], which 
are finite abstractions preserving only linear time properties. Then, we define 
atomic state classes which are obtained by splitting some of the ge- 

ometric state regions in order to preserve all the branching time properties. 
Consequently, we improve on the algorithm generating atomic state classes by 
restricting the logic to ACTL* and the splitting to the regions, for which this 
it is really necessary. Then, we go for further reductions of the abstract state 
spaces by applying partial order reductions. 

Let = C C X C be an equivalence relation on the set of concrete states C. By 
abstraet states we mean equivalence classes of =, i.e., A = {[cr]= | cr G C}. We 
assume that = satisfies at least the condition: if {m, clock) = {m' , clock'), then 
m = m' . The other conditions depend on the properties to be preserved. 

Definition 4. An abstract state space of N is a structure A]^ = (A, — 
where oq = [ 1 ^ 0 ]= 0 ,'nd -^a Q A x T x A satisfies the condition: 

EE) a -^A of iff (3(7 G a) (Ba' G a') s.t. a ^ a' . 

5.1 Geometric State Regions 

Geometric state regions are defined by sets of inequalities representing different 
clock functions. For an inequality 0 ::= cc — y ^ c, where x, y are variables, c is a 
rational constant, and ^ G {<,<,>,>}, let 0 denote the inequality x — y c, 
where is the complement of the relation 

Let / be a set of inequalities over {x\, . . . ,Xn\- A solution set Sol{I) of 
I is the set of all the vectors (ci,...,c„) of rational constants, which make 
every inequality of I valid in the theory of rational numbers. I is consistent if 
Sol{I) yf 0. Now, following jYB,98j we introduce the notion of geometric state 
classes. 

^ Formulated for finite models, but easily extends to infinite ones. 
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A (geometric) state class is a tuple a = {m,I,w), where m is a marking, I 
is a set of inequalities, and w G T*, such that m is obtained by firing from toq 
the sequence w of transitions satisfying the timing constraints represented by I. 

The initial state class is oq = (wo,0,e). Since / needs to be defined over 
the variables representing the firing times of transitions, we distinguish between 
the different firings of the same transition. A transition t is i-times fired in 
a = (to, I, w) if t occurs i-times in w. A transition t is enabled in a (denoted 
en(a)), if t G en(m). 

In the following discussion we assume some fixed transition sequence w. A 
variable t* represents the time of the i-th firing of i — 1-times fired transition t. 
Let a = (to, I, w) and V G w denote that t occurs i-times in w. 

If transition t which is i — 1-times fired in a became enabled most recently 
by the jth firing of a transition u such that G w, then we say that is 
the parent of t* in a, denoted = parent{t^,a). For v being a special variable 
representing the time when the net started we assume that v G w, for each 
sequence of transitions w. The following notions are defined: 

— Parents(a) = [j^^^^^^^parent{t\a). 

For example parent{t^, oq) = v for t G en(ao)- 

— ParTrans(a) = {{u,t) \ = parent , a) G Parents{a)}, 

— An i— 1-times fired transition t is called firahle in a if t G en{m) and for any 
j — 1-times fired transition u G en{m): 

I U parent {t'‘ , a) + Eft{t) < parent{u^ ,a) + L/t(u)”} is consistent, 

— A successor a' is obtained from a by firing a Arable transition t (denoted 
a' = t{a)), as follows: if t is f— 1-times fired in a, then to' = m[t >, w' = wt 
and /' = / U J, where J = Ji(a,t') U J 2 {a,t''), with 

— = {'Eft{t) < —parent{f,a) < Lft{t)”}, 

— J 2 {a, t) = {”t* < parent{u^ , a) + Lft{uy^ \ u is enabled and j — 1-times 
fired in a}. 

Using the above successor relation, we can define the state class graph, where 
the nodes are state classes and the edges are represented by this relation. 
The future behaviour of N from a depends only on marking to and the fir- 
ing times of the enabled transitions [BD91]. If the firing times of the parents 
of the corresponding enabled transitions (i.e., these which differ by upper in- 
dices only) are the same in a and a' , then the firing times of these transitions 
are also the same. Therefore, two state classes are equivalent (denoted a = a') 
iff TO = to', ParTrans(a) = ParTrans(a'), and the projections of the solu- 
tions Sol{I)\parents(a) = Sol{I')\parents{a')- The number of equivalence classes 
of state classes is finite [BD91] and therefore these equivalence classes constitute 
the carrier of the abstract state spaces, A = (A, -Ga, ckq) with — A x T x A, of 
geometric state regions. When we need to refer to the original state class graph, 
we call it Unfold(A). 

Note that upper indices of variables can be unbounded if there exists a cycle in 
behaviour of N. From ParTrans(a) = ParTrans(a'), we can consider a fixed 
ordering of the variables used in ParTrans(a) and ParTransia'). Assuming 
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that all the elements in the tuple Sol(I)\parents{a) and Sol{I')\parents(a') are 
arranged in this way, we can correctly find the equivalence of these classes. 

Connection between concrete and abstract states. For any run p = 

(To ^ <72 ■ ■ ■ of iV define p* = <7^ and time{p,i) = (rep- 

resents the time ti fires in p). For each state a and a state class a = (to, /, w) we 

define cr G a iff there exists a run p = ao^ cti *■ (J 2 . . . of fV and n G Af: 

- <7 = P^, 

"(C — to^l ■ ■ ‘ Ij 

- {time{p,0),time{p,l), . . . ,time{p,n — 1)) and u = 0 satisfy I, i.e., the set 
of inequalities obtained from I by replacing u by 0 and the variables cor- 
responding to ti (i.e., ti with upper indices) by time{p,i), for i < n — 1, 
holds. 

In what follows we consider only these TPNs, which satisfy the progressiveness 
condition, i.e., S^Qrk — > oo for each infinite run p of N. This means that 
TPNs cannot have cycles of transitions for which the earliest firing times are 
equal to 0. 

5.2 Atomic State Classes 

The problem with geometric state graphs Am, reported in lYTT^ . is that they 
do not satisfy condition AE) (see definition) and therefore do not preserve CTL 
formulas. 

Definition 5. A state class a satisfies condition AE) 

if: a -^A < 7 ' iff (ffcr G a) {3a' G a') s.t. a — )► a' , for each successor a' of a in A. 

This means that there is a formula, which holds at (Tq, but does not hold at 
ao- Therefore, the geometric region approach cannot be used for CTL model 
checking of TPN. One of the ways out is to split the state classes into atomic 
state classes to make the condition AE) hold. 

Definition 6. A state class a = {m,I,w) is atomic if it satisfies condition AE). 
A region graph is atomic if all its state classes are atomic. 

Splitting of the state classes. Atomic classes are obtained by splitting the 
original classes. When the region a = (to, /, w) is split, then two new regions 
(to, lA^,w) and (to, lA~f,w) are created, where ^ = IMPCON{S) is a proper 
constraint defined below. 

Let a' = {m',I',w') be a successor of a = {m,I,w) obtained by the i-th 
firing of t. An edge constraint between a and a' is an inequality 6 G I' such 
that variables{{6}) = {f‘,u^} and G Parents{a). For an edge constraint 
S = t' + c ^ and x = parent{t', a), define 

- IMPCON{S) = x+ {Eft{t) -k c) - if - G {<, <}. 
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— IMPCON{5) = X + (Lft(t) + c) ~ u^, otherwise. 

— IMPCON{S) is a proper constraint if / U IMPCON{S) is consistent. 

Intuitively, the existence of a proper constraint means that t is not Arable from 
all a € a. 

Theorem 2 ( |YR98|| ). A state class a is not atomic if there exists a proper 
constraint IMPCON{6) for some edge constraint S between a and a' . 

The algorithm building atomic state classes combines the depth-first 

search together with the partitioning. It starts with generating the initial geo- 
metric region and then, recursively, computes the successor classes of each class 
a = (m, /, w) obtained by firing transitions Arable at a. Before Aring a transition 
f, a is split if it is not atomic. In this case, for the class ”a -I- IMPCON^’ , i.e., 
a modiAed by adding IMPCON to /, all its successors are generated (instead 
of copying the subgraph). For a and its successors the recursive splitting proce- 
dure is called, which modiAes the sets of inequalities of that classes by adding 
IMPCONs. Splitting of a class can also make it necessary, to split some of its 
predecessors, as every inequality we add in this process is a new edge constraint 
between a class and its parent. Then, the new class t{a) obtained by Aring t at 
a is computed. 

In |YK98| it is proved that the above algorithm always terminates and pro- 
duces a Anite atomic state class graph A, such that Unfold{A) is also atomic. 
In the following example we display a TPN with its geometric state graph and 
unfolded atomic state graph. 



Example 1. The TPN in Figure 1 is taken from |TO8j . The sets of inequalities 
of state classes are deAned as follows: 



/co =0 



I 



ai 



I 



0!2 



('0<ti-n<l'l 
( ti <v + 6 j 






{ 0 < ti - w < 1 ' 
0 < t2 - tl < 1 
t]_ <v + & 

t2<V-\-& 



' 0 < ti - n < 1 ' 
0 < t2 - < 1 

0 < t3 - t2 < 1 
ti < V -I- 6 
t2 < w -I- 6 
ts < V + 6 



' 0 < ti - V < 1 ' 




0 < t2 - tl < 1 




0 < t3 - t2 < 1 




l<ti-t3<3 




ti < V + 6 


► /c6 = < 


t2 < -1- 6 




ts < V + 6 




, t 4 , <v + 6 


\ 



0<ti-v<l 
0 < t2 - ti < 1 
0 < ts - t2 < 1 
5 < ta — V < 6 
ti < V + 6 

t2 <v + 6 
ts <v + 6 
ta ^ ts “f 3 









' 0 < ti - V < 1 ' 




' 0<ti-v<l ' 


0 < t2 - tl < 1 




0 < t2 - tl < 1 


0 < t3 - t2 < 1 




0 < t3 - t2 < 1 


1 < t4 - t3 < 3 




5 < ta — V < 6 


5 < ta — V < 6 


> laj = < 


1 < t4 - ts < 3 


ti < n -1- 6 




ti < V + 6 


t2 < -1- 6 




t2 <v + 6 


ts < V + 6 




ts <v + 6 


. t 4 , <v + 6 




, ta < ts + 3 
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Time Petri Net 




:v+2<t3 : t2-2<v : v + 1 < tl 

£ I v + 2<t3 E : v + 1 <t2 

^4 - - 

Geometric state class graph Atomic state class graph 



Fig. 1. TPN and its state graphs with IMPCON’s and IMPCON’s added 



5.3 The State Spaces of TPN as Models for CTL* 

Let each proposition qi G PV correspond to exactly one place pi G P. For 
simplicity, we assume the same names for the propositions and places. Notice 
that the concrete state space Cat = (C', — crp) of a TPN N as well as the 
abstract ones Ajv = (A, — extended by valuation functions: 

— Vc ■ C — 2^, where p G Vc{{m, dock)) iff p G m, for each (to, clock) G C, 

— Va ■ A — 2^, where p G VA{{m, I, w)) iff p G to, for each (to, J, w) G A. 

define models for the formulas of CTL*. 

Abstract model Ma^ = (Aat, Va) preserves a formula p if for each a G A^: 
Man I ct ^ p iff (Vcr G a) Mcff , <t |= p. This implies that Ma^^ , oq 1= iff 

Me f,,<7o 1= ip. 

Theorem 3 (( ||BD91,YR98|| )). Let Apj = (A,— >-a,q;o) be an abstract state 
space. Then, the following conditions hold: 

— if A]\[ is a geometric class graph, then Ma,,, preserves LTL formulas, 

— if A AT is a atomic class graph, then Ma^j preserves CTL formulas. 

Notice that if A^r is an atomic class graph, then it satisfies condition AE) and 
therefore Mcjy and Ma^^ are bisimulation equivalent. Then, Majv preserves also 
CTL* formulas (see Theorem [T]). 
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5.4 Pseudo- Atomic State Classes 

Now, our first contribution starts. The aim is to relax the conditions on the 
atomic class graphs such that only ACTL* formulas remain preserved. We start 
with weakening the condition AE) to condition U), defined below. 

U) For each a € A there is 0 yf cor a C a such that cto G corag, and — satisfies: 
a -^A Ci' iff (Vct G COTa){^<j' G COTa') S.t. (T — >• fj'. 

If an abstract state space A^r satisfies U, we say that An is pseudo-atomic. 
Notice that condition U) is equivalent to AE) when there is cova = ol for each 
a G A. 





Fig. 2. Fragments of abstract structures formed from sets of concrete states 

Example 2. Figure 2 shows three fragments of abstract state spaces, where 

Al: AE) is satisfied and cova = {ci,C 2 }, 

A2: U) is satisfied and cor a = { 02 }, 

A3: Neither AE) or U) is satisfied; coua = 0. 

Next, we formulate the theorem, which connects condition U) with ACTL*. 

Theorem 4. If An is a pseudo-atomic class graph, then Ma^ preserves the 
formulas o/ACTL*. 

Proof. (Sketch) First notice that the following conditions hold: 

1. (ycr,a' G corcfjiy^p G ACTL*) a \= p iA a' \= Lp, 

2. Of 1= 1 ^ iff (3a G COTa) a \= tp. 

3. (Vct G core) (Ver' G q; \ cora) (V:^ G ACTL*) a \= (p ^ a' \= ip. 

1) and 2) follow directly from the proof that condition AE) preserves CTL* 
(remember that ACTL* is a sublanguage of CTL*). 3) follows from the fact that 
by condition U) each a G cora simulates each other a' € a. 

Then, we show that a \= ip iS (Vct G a) a \= ip. 
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(=>) It follows from 1) and 2) that ii a\= ip, then (Vcr G coTo) a \= ip. Since 
(by condition 3) (Vu G corQ,)(Vcr' G a \ cor a) cf \= ip implies a' ^ ip, we get that 
(Vcr G coTa) Cf \= ip implies (Vcr ^ a) a \= ip. So, we are done. 

(<t=) If (Vcr G a) a \= ip, then (Vcr G cor„) a \= ip. Thus, by condition I) and 
2) a\=if. 

Thus, the lemma follows from the fact that (Tq G cova^^. 

The condition U) will be used for improving the size of atomic state spaces 
preserving ACTL* formulas. 

Example 3. Notice that in Fig. 2 Ai preserves CTL*, A 2 does not preserve CTL*, 
but preserves ACTL*, whereas A 3 does not preserve ACTL, but preserves LTL. 

Example 4- Notice that the geometric state class graph of Fig. 1 satisfies the 
condition U) and therefore preserves ACTL*. 

Now, we discuss how to modify the algorithm generating atomic state spaces 
in order to get pseudo-atomic state spaces. The classes are now represented by 
a = {m, I , ,w), where C / represents the cor of a. Firing a transition t 

at a gives the new class a' = {m[t >, lU J, /“’'U J, wt), where {m[t >, iU J, wt) is 
the t-successor of a, described in section l5~Tl Notice that splitting is not necessary 
when is consistent. Thus, the algorithm is modified such that rather than 
splitting a, it computes and memorizes This is performed in the following 
way. The algorithm starts with assigning for the initial state class. 

Then, assume for simplicity, that IMPCON{6) is the only proper constraint 
between a and its t-successor a' . Then, 

i) /“r- jcor y imPCON{5) and ii) /=?’' := U IMPCON{5). 
i) follows from the fact that transition t is only Arable at a with 1^ U 
IMPCON{5) to lead to a' . ii) propagates IMPCON{6) to a'. 

As long as is consistent the algorithm does not need to split. Otherwise, 
the algorithm starts splitting in a similar way as described in pFF.DSj handling the 
splitting of P°'^’s as well. In this case, class a and its successors are recursively 
modified by adding IMPCON to their sets of inequalities I and and the 
new class a\ = a + IMPCON is created. is a union of la^ and the set 
of inequalities obtained by firing a transition t, which was fired to generate the 
class a, at of the parent class of a. The successors of a\ are computed, 
instead of copying the subgraph. A detailed description of this algorithm can be 
found in ITW1 . 

6 Partial Order Reductions for TPN 

In this section we show that the covering relation of [DOKK98j can be exploited 
for defining partial order reductions of abstract state spaces (pseudo-atomic and 
atomic) of Time Petri Nets preserving branching time properties. 

Let Am = {A, ao) be a region graph, a G A, and t(a) denotes the class 
a' , obtained by firing t at a. Recall that Am is deterministic, so the transitions 
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are labelled by T. a+ = {cr' G C | cr' = cr + r, for some tr G a and some time 
r G Q“*", which can pass at a}. 



Definition 7. Let t,t' G T. Transition t covers transition t' (written, t t' ) 

if for all classes a £ A it holds t{t'{a)) C (t'(t(o;)))“''. 



Intuitively, any class that can be reached from a by firing t' and then t can also 
be reached from a by first firing t then t' and then possibly passing some time. 

Example 5. In Figure [3| transition t covers transition t'. The components li of 
the abstract states ai are as follow: 



- h = rt-v<r}, 

- I2 = {”l<t' -V < -v< 2”}, 

- h = {”t-v< 2”,’T <t' -v< 2”}. 




Fig. 3. Transition t covers transition t' as Q4 C as 



We now give a simple criterium which implies that t covers t' . 

Theorem 5. If transitions t,t' £ T satisfy the following conditions: 

— (pre{t) Upost{t)) n {pre{t') U post{t')) = 0, 

- Eft{t) = 0. 

Then, t t' ■ 

Proof. (Sketch) We have to show that t{t'{a)) C t'(t(a))+. Let a = {m, clock) G 
a and a '2 = {rn\t't >,clock+rti+rt) G t{t'{a)). Since F can fire at {m,clock+rt'), 
t can fire as well, due to Eft{t) = 0. Let ct 2 = (rn[t't >, clock + rf). From 
m[t't >= m[tt' > it follows that (T 2 G Thus, ^ 

Below, we show that using the covering relation, we can extend the partial order 
reduction method of branching time properties from untimed systems |GKPP99] 
to TPNs. There are several problems with proving the correctness of this ap- 
proach, which follow from the fact that t{t'{a)) yf f{t{a)) and the fact that the 
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pseudo-atomic state spaces are generated by the algorithm, which is a combina- 
tion of DFS and splitting. The following discussion explains how we solve these 
problems. 

First, observe that this is not equality of t{t'{a)) and which is nec- 
essary in the proof of correctness, but the fact that simulates (or bisim- 

ulates) This is provided by the following lemma. 



Lemma 1. If t '^c i' and t,t' are firable at a, then a\ = t' {t{a)) simulates 
«2 = (denoted a\ Oi 2 ), for each a € A. 



Unfortunately, the proof of Theorem using the above lemma becomes quite 
involved. 

The second problem is connected with the way the po-reduced (pseudo- 
)atomic state spaces are generated. First of all, DFS together with the parti- 
tioning is used and moreover splitting of classes can introduce non-determinism 
and the need for renaming the copies of transitions of T to Tr- 

Now, we prove that for a given (pseudo-)atomic state space, our method 
of po-reductions gives a reduced state space, which preserves the formulas of 
(ACTLdx) CTLdx- This result allows us to reduce the abstract state spaces, 
but it does not say how to perform partial order reductions while generating 
the state spaces by DFS -I- partitioning. Such a combination is possible and it 
is discussed in the last section. For the detailed description of the algorithm the 
reader is referred to IMS]. 

Next, we discuss the above algorithms. Let Ajv = (A, — >-^,ao) be a pseudo- 



atomic state space, and en{a) = {t \ 3a' € A : a ct'} 

The standard po-reduction algorithm is based upon a straightforward depth- 






) to generate a reduced state 



first-search (DFS) algorithm (see 
graph. 

DFS is a recursive algorithm, which starts at the initial pseudo-atomic region 
of the Time Petri Net N . In current state a, DFS selects an unexpanded (i.e., 
not yet used for the generation of a successor) enabled transition, say t G en(a). 



and generates the successor state a' such that a -4 a of . Then, DFS continues 
from successor state till no more enabled transition is present; then backtracks 
to the nearest predecessor, which contains unexpanded enabled transition. 

PO-reduction algorithm differs from DFS such that whenever the po- 
reduction algorithm visits a new state of and the set of enabled transitions en(pf) 
is examined, only a subset (Ample set) of it, denoted E{a'), is used to generate 
the successors. The choice of Ample sets is constrained by the following condi- 
tions, introduced and precisely discussed in jPel96IVal89IVal96IWG93IGKPP^ 
IPSGKOO] . Let Vis denote the set of renamed transitions, which change valua- 
tions of the propositions used in tp on model Mam^ and Invis = Tr\ Vis. Recall 
that for models corresponding to TPN’s the places play role of the propositions. 



Cl No transition t G Tr\ E{a) that is not covered by a transition in E{a) can 
be executed in N before a transition of E{a) is executed. 

C2 On every cycle in the constructed state graph, there is a node a with E{a) = 
en{a), 
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C3 E{a) n Vis = 0 or E{a) = en(ct), 

C4 there is an unrenamed t €T s.t. E{a) = {t} or E{a) = en(a), 

CD (Vis X Vis) n = 0 - 

An algorithm for computing sets of transitions satisfying Cl w.r.t. independency 
can be found in iHEna. Its adaptation w.r.t. covering is straightforward (see 

msm)- 

Remark: for reductions preserving only ACTL^x there is an alternative 
way of defining the Ample sets such that the conditions C3,C4 are relaxed 




Below, we show that the reduced pseudo-atomic model preserves ACTL^xi 

i.e., that the pseudo-atomic and the reduced pseudo-atomic model are simulation 
equivalent. A similar proof can be obtained for preservation of CTL(lx, but then 
we have to reduce atomic models using the definition of Ample sets based on the 
symmetric relation To this aim we use the idea of the proof in )GKPP99| . but 
modify the definition of simulation. We start with defining a visible simulation, 
which has been shown to be stronger than simulation pSGKOO] . 

Definition 8 ((visible simulation) [Pel96llGKPP99] ) . A relation '^vb C 
S' X S is a visible simulation from M' = {{S' , R' , to M = {{S, R, i),V) 

if (i) i' o,nd (ii) whenever s' s, the following conditions hold: 

1. V'{s') = V{s). 

2. If s — ^ t G R, then either b is invisible and s' '^vs t, or there exists a path 

s' = So Si i' in M' such that Si '^vs s for i < n, at 

is invisible for i < n and t' t. 

3. If there is an infinite path s = tp ti • • •, where bi is invisible and 
s' '^vs ti for i > 0, then there exists an edge s' — ^ s" such that c is invisible 
and s" '^ys tj for some j > 0. 

Model M' v-simulates model M (M' '^yg M) if there is a visible simulation 
from M' to M . Two models M and M' are called v-simulation equivalent if 
M '^{jg M' and M' ^yg M . Two models M and M' are called v-bisimulation 
equivalent if M '^yg M' and M' '^'yg M, where '^'yg is the inverse of'^yg. 



Theorem 6. Let M be a pseudo-atomic model and M' be its po-reduction gen- 
erated by our algorithm. Then, M and M' are v-simulation equivalent. 

Proof. (Sketch) The proof is a generalization of the corresponding proof of 
IIGkPP99l . Let M = {{S, R, i), V) be the pseudo-atomic model of N and 
M' = {{S' , R', i'), V') be the reduced one generated for M by our partial order 
reduction algorithm. 

Remember that d = l and V' = V|S". Since M' is a sub- model of M, it is 
obvious that M v-simulates M' . In order to show the opposite, we define a new 
visible simulation relation: 
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Let s '^s s' denote that s simulates s' in the sense of Lemma d We use also the 
notation: s'{'^s)~^s for s '^s s' . In order to obtain a v-simulation between the 
reduced model M' and the model M, define the following relation: 

Definition 9. Let Q S x S be such that s ^ s' iff there exists a sequence of 
states s = So {'^s)~^wo Si{'^s)~^wi ■■■ Sn('^s)~^Wn = s' such 

that Qi is invisible and {oi} satisfies condition Cl from state Wi for 0 < i < n. 
Such a sequence will be called a generalized forming sequence (gf-sequence, for 
short) . A gf-sequence of the form s = sq si Sn = s' is called a 

standard forming path (sf-path). 

The number of — >■ in a gf-sequence is called its length. Let ^ C\ {S x S'). 
Now, our goal is to show that r; is a v-simulation. We use a number of simple 
lemmas (El-E| to prove the main theorem 0 

Lemma 2. Let s — ^ r be an edge of M such that {a} satisfies Condition Cl 
from the state s. Let s — ^ s' be another edge of M , with a b. Then {a} 
satisfies Condition Cl from s' . 

Proof See 



Lemma 3. Let s f^s) ^r and s — ^ s' be an edge of M. Then, there is r' G S 
and an edge r — ^ r' such that s' ■ 

Proof. Follows directly from Lemma 0 



Lemma 4. Let s = Soi'^s) Si{'^s) ^w\ Sn('^s) ^Wn = 

r be a gf-sequence and s — ^ s' . Then there are exactly two possibilities: 



1 . 

2 . 



For all 0 < i < n transition covers b. Then, there exists a gf-sequence: 



s' = s'o (^,)- 



Xl i'^s) ^ si('^s)’ 






{'^s) ^w'n = with Sj — > s'j and Wj — > w'j for 0 < j < n. 

There exists j < n such that b is covered by ai for 0 < i < j , and b = aj. 
There exists a gf-sequence s' = s'q('^s)~^w'q 



O-j — l 



s', and Wi 



ai. 

b 



Xji'^s) = r' , where w'j = Sj+i, Si 

w'i for 0 < i < j. Therefore, there is a gf-sequence of length n—1 from s' to 

r. 



Proof. Notice that b is covered by Ui for 0 < i < n in Item 1, since {ai} sat- 
isfies Cl in Wi. The same holds for 0 < i < j in Item 2. We can now apply a 
simple induction using Lemma El and Lemma 0 



Corollary 1. Let s ^ r and s — > s' . Then there exists an edge r — > r' such 
that s' ^ r' in each of the following two cases: 
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1. b does not appear on some gf-sequenee from s to r (in partieular this must 
be the ease when b is visible), or 

2. s' / r. 

It is easy to see that the reduction algorithm guarantees the following: 

Lemma 5. Let s be a state in the redueed model M' . Then, there is a sf-path in 
M' from s to a fully expanded (i.e., with all the successors generated) state s' . 

Theorem 7. The relation ps is a v-simulation. 

Proof. First, observe that t = t' and t G S' . Hence t ~ l'. Next, let s ~ r. Thus, 
s ~ r. Item 1 of Definition El is satisfied since the invisible operations and 
preserve valuation. Hence, y(s) = V{r). Thus, also F(s) = V'{r). 

We show that Item 2 of Definition 0 holds. Let s — ^ s' € M. We argue by 
cases: 

Case 1. s' ^ r and b is invisible. Then Item 2 follows immediately. 

Case 2. s' / r or 6 is visible. According to Corollary 0 in both cases there is 
an edge r — ^ r' in M such that s' r' . Notice that by the definition of 

r G S' , but it is not necessarily the case that r' G S' . By Lemma 0 there is 
an sf-path in M' from r to some fully expanded state t. Hence, s ^ r ^ t, 
which implies by transitivity of ~ that s t. Since t G S', also s ~ t. Again 
there are two cases: 

Case 2.1. r' ^ t and b is invisible. Then, s' ^ r' ^ t, hence s' ^ t and also 
s' ~ t. Thus, the path required by Item 2 consists of the sf-path from r 
to t. 

Case 2.2. r' t or b is visible. Then, according to Corollary 0 there is an 
edge t — ^ t' , with r' ~ t' . Thus, s' ^ r' ^ t', hence s' ~ t'. Since t is 
fully expanded, t' G S', thus s' ~ t' . Thus, the path required in Item 2 
consists of the sf-path from r to t, followed by the edge t — ^ t' . 

For proving item 3 of Definition 0 let sq si ... be an infinite path, 
where sq = s and with Ui invisible and Si ~ r for f > 0. Consider now two cases. 
In the first case, there is a single edge r — ^ r', with c invisible, in M', with {c} 
satisfying Condition Cl from r. In this case, r ^ r', and since Si ^ r, we have 
Si ^ r' . Since r' is in S' then si ~ r'. 

In the second case, r is fully expanded. We will show that there exists a 
gf-sequence from some Sj to r, where j > 0, such that aj does not occur on it. 
To show that, we will construct a sequence of gf-sequences li from Si to r, for 
^ "S i Si j, with Iq a path from s = sq to r. Observe that by Lemma0 if at appears 
on li, then we can construct a path Zi_|_i from s^+i that is shorter than li. Since 
there are infinitely many states Si, and Iq has a finite length, this construction 
must terminate with some j as above. Now, according to Corollary 0 there is an 
edge r r' G M such that Sj+i ~ r' . Since r is fully expanded, also Sj+i ~ r' . 
End of proof. 
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It is important to notice that if '^c is symmetric, then it follows easily from 
Lemma 0 that Ri is a v-bisimulation. In this case to preserve CTL^x the PO- 
reduction algorithm should be applied to atomic-models. An easy criterium for 
'^c to be symmetric is to require that Eft{t) = = 0. 



6.1 Combining DFS, Partitioning, and Partial Order Reductions 

Now, we describe the (non-sequential) combination of the DFS-|-partitioning 
algorithm generating the (pseudo)-atomic state classes and partial order reduc- 
tions. 

The following changes to the algorithm generating the (pseudo-)atomic state 
classes are made. The set of transitions to be fired at a (an Ample set) is com- 
puted w.r.t a formula to be checked. Since splitting of a class can imply splitting 
of some of its predecessors, the original choice of a single transition by C4 to 
be fired from the class can be invalidated (the transition gets copies, which have 
to be renamed). This requires recomputing the ample set and rebuilding the 
subgraph. A similar problem has to be handled if a class we get, when splitting 
propagates, is equivalent to some of its predecessors, which can invalidate the 
condition C2. This again requires rebuilding the subgraph. Moreover, all the 
edge constraints, which could potentially cause splitting of class a even if the 
po-reduction has been applied to transitions enabled at a, are computed in or- 
der to build the graph being a substructure of the unreduced one. A detailed 
description of the algorithm can be found in iF3mn . 

Our proof of correctness shows that the reduced state space generated by 
the above algorithm is exactly the same as it was generated by the standard 
PO-reduction algorithm, applied to the already generated (pseudo-)atomic state 
graph. So, correctness follows again from Theorem 0 



7 Experimental Results 

Our algorithm has been implemented on the base of the program described 
in we have received by courtesy of Tomohiro Yoneda. The sets of in- 

equalities describing state classes are represented by DBM matrices PIIHni- The 
present implementation does not contain any compressing procedure and there- 
fore should be optimized for practical purposes. 

A small net is presented in Figure 4. We display the sizes of its (detailed) 
region graph of [ACD90] (taken from |YB,98| 1. geometric region, atomic and 
pseudo-atomic graphs and the graphs obtained using our PO-reduction algo- 
rithm (for Vis={t(j}). 

It is obvious that running our implementation on bigger examples (with more 
concurrent processes) would give much more substantial po-reductions as these 
depend on the number of independent operations. 
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States 
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CPU 


region graph 


15011 


25206 


40217 




geometric region 


16 


25 


41 


0.02 


AE) satisfied 


53 


95 
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0.05 


AE)-tpo(ACTLlx) 


53 


76 


129 


0.04 


U) satisfied 


31 


50 


81 


0.03 


U)+po(ACTL!Lx) 


31 


44 


75 


0.04 




[0,10] [0,10] [0,10] [30.30] 



p6 “ p7 




[50,60] 



Fig. 4. A comparison between the sizes of graphs for a simple TPN 



8 Conclusions 

We have improved the variant of the geometric region method |YR,98J for defining 
abstract state spaces preserving properties of ACTL* . Moreover, we have shown 
how to extend the po-reduction methods to deal with next-time free branching 
properties of time Petri Nets. Finally, the above two results have been com- 
bined offering an efficient method for model checking of ACTL^^ ^tnd CTL^x 
properties of time Petri Nets. So far our method covers only untimed properties 
of TPN. However, we believe that a similar approach can be used for efficient 
verification of TCTL properties using the region graph approach of [ACD90IJ . 
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Abstract. During the last years we have been working towards a com- 
plete design method for distributed embedded real-time systems. The 
main characteristic of the methodology is that within the critical phases 
of analysis and synthesis the system under development is available in 
one unique model, that of extended Pr/T-Nets. Among several other 
reasons we have chosen a high-level Petri Net model in order to bene- 
fit from the multitude of analysis and synthesis methods for Petri Nets. 
Even though the methodology is based upon one common model, it nev- 
ertheless supports the modeling of heterogeneous systems using different 
specification languages. The methodology was introduced and described 
in several former publications. In this paper we therefore only give a brief 
overview and afterwards go into details of our recent work, namely the 
transformation of proper Pr/T-Net-models into synchronous languages, 
the partitioning of Pr/T-Nets and an OS- integrated execution engine for 
Pr/T-Nets. 



1 Introduction 

In recent years the design of embedded systems has gained increasing impor- 
tance. This development is on the one hand rooted in the growing number of 
embedded systems. On the other hand, due to the complexity of embedded 
systems, handmade design of these systems without support of well-elaborated 
methodologies is not practicable. The reasons for complexity are manifold: First 
of all many embedded systems are safety-critical. Thus many requirements, logi- 
cal as well as temporal, have to be assured during design. However, the effort - in 
terms of hardware resources - for implementing the system should be minimized, 
since normally embedded systems are series products. Complexity is often raised 
through the fact that complex embedded systems are distributed and contain 
concurrent behavior. Finally, the target architectures for their realization are 
typically heterogeneous. Summarized, sophisticated methodologies and tools for 
the seamless design of embedded systems are needed. Within our group we have 
been working towards a complete design methodology for embedded systems 
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for several years now. It covers the whole design flow, reaching from modeling 
of embedded systems via analysis and partitioning down to synthesis. Analysis 
methods are used in order to guarantee compliance of the implementation with 
specified requirements as well as to provide information for an efflcient realiza- 
tion of the system. One main problem when analyzing the system is that the 
modeling of a complex embedded real-time system typically results in a heteroge- 
neous specification. The resulting model consists of several components specified 
using application-specific languages from the respective domains. With regard to 
reliability it is not sufficient to analyze each single component on its own. Many 
functional errors only expose themselves when all individual components work 
together in the whole context, observed over time. For this reason, one main 
characteristic of our methodology is that within the critical phases of analysis 
and synthesis, the system under development is available in one unique formal 
model. Thereby, our basic model is that of extended Pr/T-Nets. 

We have chosen a Petri Net model, since for Petri Net models a lot of analy- 
sis methods and tools are already available. Moreover, Petri Nets are well-suited 
for modeling reactive, local, and concurrent behavior, which is typical for em- 
bedded real-time systems. In this context, local behavior means that the global 
behavior of a model is the sum of its local behaviors. Despite their advantages, a 
methodology based solely on Petri Nets would gain only little acceptance, since 
most engineers have their favorite specification language they are used to work 
with. But as we have already shown in 0, our underlying model of extended 
Pr/T~Nets is able to integrate other specification languages like diagrams for 
differential equations or token-based dataflow graphs. 

Several tools supporting particular parts of embedded system design are 
already available within the commercial area. For the purpose of modeling, 
tools based on StateCharts are very popular. Examples are STATEMATE |2j 
and the StateChart extension StateFlow of Matlab SIMULINK P). Likewise 
widespreadly used is SDL, for instance within the tool SDT With regard 
to verification, an environment based on Statecharts is described in pj. Within 
the environment, timing diagrams are used to formulate properties of the 
specified Statecharts. These can be checked with the help of a symbolic model 
checker Q. However, existing commercial tools do not provide a means for a 
complete seamless design, including for instance a modeling environment as well 
as support for analysis and verification. Moreover, for commercial tools, atten- 
tion is rather put to pragmatic aspects, like comfortable generation of code and 
simple operability, whereas conceptual bases are not well-elaborated. 

Some of the first non-commercial approaches towards a complete environment 
for the design of embedded systems were the projects AutoFocus |H|, PTOLEMY 
0, POLIS P2|, and CodeSign PI|. Just as our approach CodeSign is based on a 
high-level Petri Net model. In contrast to our work the scope of the project was 
focused on modeling and analysis. It did not address the generation of code for 
distributed target architectures as our methodology does. The other approaches 
mentioned are based on StateCharts and Finite State Machines respectively. 
They have in common that the underlying formal model is basically synchronous. 
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However, one main idea behind the POLIS system is that the synchronous sub- 
systems - specified as so called Codesign Finite State Machines - communicate 
asynchronously. This is similar to our approach. As will be described later on 
in the paper, we transform suitable parts of a basically asynchronous Petri Net 
model into synchronous specifications. 

The rest of the paper is organized as follows. First, we give an overview of our 
methodology in Section 0 In Section 0 we describe an approach for integrating 
synchronous languages into our methodology. Section 0 contains the description 
of a so called prepartitioning method. Within the prepartitioning information 
about the Petri Net model is exploited in order to configure a graph partitioning 
tool. The latter is used for dividing the model into parts, that can be realized 
separately on the distributed target platform. For the realization of a modeled 
embedded system we developed a concept, that uses standard services of an 
operating system to execute extended Pr/T-Nets. A description of this approach 
is given in section 0 

2 Design Methodology 

In this section, we first describe our underlying formal model with a small ex- 
ample. In the second subsection, an overview of the design flow proposed by our 
methodology is given. 



2.1 Formal Model 

As a common formal model for our design methodology we chose extended Pr/T- 
Nets. They are based on the basic model introduced by Genrich and Lauten- 
bach. The tokens are tuples of individuals of basic data types like integer, float 
or string. Accordingly, the edges are annotated with tuples of variables. Transi- 
tions carry conditions as well as actions using these variables and defining them 
respectively. Figure 0 shows a simple example. Some extensions were made to 
the standard Pr/T-Net model in order to model heterogeneous systems and 
real-time systems. The extensions include a means for integration of textual lan- 
guages, hierarchy, and a concept for graphical abstraction. For details of these 
extensions we refer to 0- 



Is T2 Up 




Fig. 1. Pr/T-Net example 



346 C. Rust, J. Tacken, and C. Boke 

A further extension are timing annotations. Extended Pr/T-Nets allow the 
definition of an enabling delay and a, firing delay for each transition. The enabling 
delay specifies the time, at which a transition starts firing after having been en- 
abled for some substitution. The time interval is not bound to the substitution, 
that is the substitution may change during the delay period. The firing delay 
determines the duration of a transition firing, that is the time between demark- 
ing of input places and marking of output places. For both delays an interval 
(min, max) may be specified describing the minimal delay and its maximal value 
respectively. For the firing delay values with 0 < min < max < oo are valid, 
whereas for the enabling delay also max = oo is allowed. 



2.2 Design Flow 

Our methodology for the design of parallel embedded real-time systems is based 
on a design flow first introduced in The design flow is divided into the 
three stages modeling, analysis and partitioning, and finally synthesis (cf. Figure 
0). We assume that the process of modeling starts with a heterogeneous system 
consisting of several components with different characteristics. The components 
may either be modeled using our formalism of extended Pr/T-Nets directly or 
by using a typical specification language of the respective application domain. 
Models specified using other languages than Pr/T-Nets are transformed into 
equivalent extended Pr/T-Nets already within the modeling phase. Thus, at the 
end of this phase, all components can be coupled together into one hierarchical 
Pr/T-Net model as shown in p. 

For several specification languages concepts have been developed in order 
to transform them into a Pr/T-Net model: diagrams for differential equations, 
token-based dataflow graphs, asynchronous hardware on gate level. Software 
Circuits, and SDL. The transformation from SDL into Pr/T-Nets was described 
in (El. The specification of diagrams for differential equations and token-based 
dataflow graphs based on Pr/T-Nets was described in P, the specification of 
software circuits in H3|. In each case, the specification is based on a Pr/T-Net li- 
brary for the respective language. Based on the library for diagrams of differential 
equations, the modeling of hybrid systems is also supported by our methodology 
[Il41l,6j . As recently shown, even modeling paradigms for autonomous robots may 
be transformed into extended Pr/T-Nets [TTlj . 

After the process of modeling has been finished the design continues with the 
stage of analysis and partitioning. In this phase the extended Pr/T-Net model 
resulting from the modeling phase (cf. Figure Q Hierarchical Pr/T — Net) is 
enriched with meta information. The analysis usually starts with simulations in 
order to check whether the system’s behavior is as expected (Simulation and 
Animation). Running simulations is supported by a built-in component of our 
modeling tool SEA0 (System Engineering and Animation) 

Later on, Petri Net analysis methods are used for verifying functional re- 
quirements on the specified system (Petri Net Analysis). We therefore try 



^ available at: http://www.c-lab.de/sea/ 
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Fig. 2. Design Flow 



to determine net properties like reachability of states, deadlock freeness, live- 
ness, and boundness via the skeleton of the extended Pr/T-Net model. From 
an extended Pr/T-Net we obtain the skeleton by stripping each token of its 
contents and eliminating the annotations of the transitions and edges. Markings 
and transition inputs and outputs in the skeleton then involve only numbers of 
tokens. 

The strategy for analyzing Pr/T-Nets based on skeletons is depicted in Fig- 
ure 0 First, the abstraction of the Pr/T-Net as well as of the investigated prop- 
erty - e.g. the reachability of a certain state - is performed. The application 
of a Place/Transition Net analysis method yields some information about the 
respective property. Concerning the reachability analysis, one may get informa- 
tion, whether the abstracted state is reachable in the skeleton and occasionally 
the firing sequences leading to this state. In some cases, the analysis results 
are directly valid within the Pr/T-Net. For instance the non-reachability of an 
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abstracted state in a skeleton net implies that the respective state is also not 
reachable in the original Pr/T-Net. The underlying ideas are similar to those 
described in m and ca- 
lf the analysis results are not directly applicable, they have to be validated 
manually. However, the information yielded by the Place/Transition Net anal- 
ysis may still be useful. Considering the reachability problem it is for instance 
sufficient to examine only the firing sequences corresponding to those provided 
by the skeleton analysis. For a detailed description of our analysis approach we 
refer to Pi- 




Fig. 3. Skeleton based analysis of Pr/T-Nets 



Petri Net analysis methods are not only used for verifying functional re- 
quirements. They may also provide information for further steps within our 
design flow. For instance, the boundness of places is crucial for some synthe- 
sis methods as well as for the transformation of synchronous subnets into syn- 
chronous languages. The latter becomes obvious in Section 0 in which this step 
(Transformation of synchronous parts) will be further explained. The idea 
behind the transformation is that appropriate model parts, that is parts with 
characteristics of synchronous models, are transformed into the world of syn- 
chronous languages like ESTEREL, LUSTRE, and SIGNAL ^O]- Here, a multi- 
plicity of academical and in particular also commercial design tools exists, which 
support for instance verification or generation of efficient code for synchronous 
models. 

In order to ensure real-time restrictions we have to check whether distinct 
components of the system under development react to an input within speci- 
fied time limits (Timing Analysis). For this purpose, a key component within 
our design methodology is CHaRy m Basically CHaRy is a software synthesis 
tool for hard real-time systems. It is capable of generating C-code for embedded 
microcontrollers (target code), whereby a tight estimation of the code’s worst 
case execution time is computed. CHaRy was primarily designed for process- 
ing straight-line hard real-time programs, basically a subset of C. For complex 
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parallel systems the timing analysis and synthesis methods provided by CHaRy 
are combined with Petri Net based methods. The idea for combining them is as 
follows. In a first step, Petri Net analysis methods yield possible computation 
paths of a given model. According to these paths, CHaRy afterwards synthesizes 
target code with a predictable behavior concerning the execution time. For fur- 
ther details we refer to ca Timing analysis methods are not only a means for 
ensuring real-time restrictions, but also for conceiving meta information needed 
within the partitioning and synthesis phase. 

Partitioning is one of the crucial design steps on the way from a high-level 
Petri Net to an implementation on a distributed target architecture. Before the 
Petri Net model can be transformed into target code and into dedicated hardware 
components respectively, it must be divided into corresponding model parts. For 
partitioning, we use the library PARTY |22] together with the prepartitioning 
method described in Section 0] PARTY provides min cut methods for computing 
a balanced partitioning of an undirected weighted graph. This fits well to our 
problem, if the Petri Net graph partitioning problem is converted into a problem 
for PARTY as follows. Each unit of the prepartitioned net is mapped to a node. 
The communication among nodes is specified by arcs. The execution time of 
the units as well as the communication effort is modeled via weights. In the 
final partitioning yielded by PARTY, each partition contains at least one unit 
of the prepartitioned net. Since different partitions may be mapped to different 
execution units in the final implementation, min cut methods are appropriate in 
order to keep the communication effort small. 

For units of the prepartitioned net, that were merged together during the 
final partitioning, the respective C-code fragments also have to be merged. 
Thereby, the units of the final implementation emerge, which may be mapped 
to a controller or processor of the target hardware. However, this is only one 
possibility of generating code for one partition of the model, designated as 
Synthesis of Pr/T-Nets in Figure 0 Whether there are more possibilities, 
depends on the results of analysis and partitioning. It may for instance be 
feasible and also reasonable to generate the final implementation of a model 
part from its original specification in another specification language (Synthesis 
of original specification). In this case the respective model part was only 
mapped into a Pr/T-Net in order to enable analysis of the complete model. If 
synchronous model parts were found during analysis and transformed into syn- 
chronous languages as it will be described in Section 0 tools for these languages 
may be used for the implementation of these parts (Synthesis of synchronous 
Pr/T-Nets). In any case, for executing the various parts of the implementation, 
usually a real-time operating system (RTOS) is needed. For executing the units 
synthesized from Pr/T-Nets, we propose to use a customized RTOS, which is 
solely dedicated to the execution of Pr/T-Nets (cf. Section 0 ). 

Before finishing the design, it has to be checked whether all real-time con- 
straints will be met by the implementation. If the constraints cannot be ensured, 
we either repartition the system or replace the software solution for critical parts 
by special purpose hardware. For the latter synthesizable VHDL-code is gen- 
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erated using the tool PMOSfl The iterative process of repartitioning and/or 
replacing software by hardware components has to be repeated until an imple- 
mentation fulfilling all requirements has been found. 

3 Mapping Pr/T— Nets to Synchronous Automata 

It is generally accepted that Petri Nets are well suited for modeling, analysis, 
and synthesis of asynchronous systems. Basically they are likewise suitable for 
synchronous systems. However, during the last decade synchronous languages 
like ESTEREL, LUSTRE, and SIGNAL j20) have gained great popularity. For 
these languages a multiplicity of tools supporting the design of embedded sys- 
tems exist. With respect to the acceptance of our design methodology it therefore 
appears advisable to transfer suitable model parts into synchronous languages. 
A linkage to all prevalent synchronous languages is possible via synchronous 
automata, which were introduced in order to provide a formal model for syn- 
chronous languages |23| . Hence, our approach for a linkage to synchronous lan- 
guages is to determine inherently synchronous parts of a specified Pr/T-Net 
model and transform them into synchronous automata. 



3.1 Synchronous Automata 

The operation of synchronous automata is as follows. In each execution cycle an 
automaton evaluates a set of signals. Depending on these signals as well as on 
an internal state, output signals are generated. Furthermore the following state 
is determined. Consequently, the main components of a synchronous automaton 
are a set of signals, a set of control registers for representing the internal state 
and a reaction as well as a transition function. The reaction function is used for 
emitting signals, the transition function for manipulating the control registers. 

In Figure 0 a simple example for a synchronous automaton together with a 
graphical representation is depicted. The element sums up a signal c. In each 
cycle with c bearing a value, this value is added to the control register h, which 
is sent to the environment via the signal s. The signal r provides a means for 
resetting the sum to zero. 

The reaction function is specified by statements of the form s v ii 4>, 
which means that signal s is emitted with value v if the condition (j) is true. 
Otherwise the signal is not emitted. The transition function, which is evaluated 
after the reaction function, is defined by statements like /i ■<— u if (/>, which 
means that the value v is assigned to the control register h if the condition 
4> is true. Otherwise the value of h remains unchanged. In order to facilitate 
initializations a specific signal a is emitted once at the starting point of executing 
a synchronous automaton. The conditions in the statements are each a logical 
formula containing con- or disjunctions over signals and control registers. In order 
to distinguish an instance from an assigned value, we use U(s) for denoting the 
value of a signal s and V{h) for the value of a control register h. 

^ http : //www .uni-paderborn.de/ cs/ag-hardt/Forschung/Pmoss/pmoss .html 
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S = {c,r,s} 

H = {h} 

s <= y (ft) -I- E(c) if c A -I r A a 
s 0 if r V a 

ft t— y(s) if s 

Fig. 4. Example for a synchronous automaton 




3.2 Synchronous Pr/T~Nets 

We now characterize the class of Pr/T-Nets that are suitable for a transformation 
into an equivalent synchronous automaton. A Pr/T-Net is called synchronous, 
if the following conditions are fulfilled: 

(1) All transitions of the net have the same timing annotation. 

(2) The net is k~safe. 

(3) The net is deterministic. 

Synchronous languages usually have no explicit notion of physical time. 
Only simultaneity and precedence between events can be expressed. Accord- 
ingly Pr/T~Nets with all transition delays set to zero fulfill one condition to be 
called synchronou^. But the zero delay is no prerequisite. We rather demand 
in the first condition that all transitions have the same delay. This implies that 
all enabled transitions fire within the same interval of time which is already a 
synchronous execution. The second condition guarantees that the state space of 
the derived synchronous automaton is finite. Finally, deterministic behavior is a 
basic property of synchronous languages. In the area of Pr/T-Nets deterministic 
behavior requires that a net contains no input conflicts. It may of course contain 
structural conflicts, but these have to be solved by the conditions of the involved 
transitions (cf. Figure 0. 



3.3 Transformation 

In this subsection we describe the transformation of a synchronous Pr/T-Net 
into a behavior-equivalent synchronous automaton. Behavior-equivalent means 
that for each reachable state in the extended Pr/-Net a reachable state in the 
synchronous automaton exists. One may argue that mapping a finite-state Petri 
Net to an automaton is a well-known and of course solved problem. However, 
synchronous automata are not only a particular flavor of finite automata. They 
have on the contrary several extensions. It seems to be reasonable to exploit these 
extensions for the realization of appropriate Pr/T-Nets, for instance in order to 

^ We thereby suppose a Petri Net execution semantics enforcing each enabled transi- 
tion to fire immediately. 
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express parallelism. To our knowledge currently no mapping from a Petri Net- 
model to synchronous automata exists. We therefore defined the transformation 
depicted below with the basic ideas described in the following. 

The actual marking of a given Pr/T-Net is stored in the actual state of the 
synchronous automaton, that is in the control registers (cf. (i) in the description 
below) . The initial marking is created by means of statements within the reaction 
and transition functions, that use the special signal a (ii). Furthermore, the 
firing of transitions has to be modeled in the synchronous automaton. First of 
all, the concession to fire is modeled by a signal for each transition. The signal is 
emitted each time the transition is enabled (iii). In order to model the firing of 
transitions, additional signals for storing new place markings are needed (i). The 
new marking of each place after an execution step is stored into these signals by 
means of the reaction function (iv). At the end of an execution step the place 
markings are copied from the mentioned signals to control registers by means of 
the transition function (v). To illustrate the transformation, the Pr/T-Net shown 
in Figure n is used. For a complete description and proof of the transformation 
see |ini. 



(i) 



Definition of control registers and signals for actual marking 

For each place p with the upper bound k in the extended Pr/T-Net create 
the control registers hp -^ , ■ • ■ , in the synchronous automaton as well as 
the signals Spj , . . . , Sp^. . 

For the example in Figure Q the following control registers and signals are 
created: 



{hi 

Si : ^Shouldi 1 hoif ferencei ^ ^Upi ^ ^Downi } 
{^/si 5 ^Shouldi 7 ^ Dif f erencei : ^Upi : ^Down\ } 



(ii) Initial marking 

For each token within the initial marking {mi,...,TOj} of a place p 
create the following statement within the reaction function: 

Sp^ if Q. 

Thereby Vmi denotes the value of irii. 

The initial marking in our example is created by: 

Sjsi 5 if o and s gjiouidi 3 if o 



(iii) Signal emission for enabled transitions 

For each transition t create a signal st and the following statement within 
the reaction function: 

St A if ct 

Thereby Ct is a logical formula for deciding whether t is enabled 
There is no need to assign a value to st; hence it is set to A. 
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For the example in Figure^this step creates three signals with the following 
statements emitting them: 

^T1 ^ ^Is\ ^ ^Shouldi 

ST2 ^ A if ho if ferencei t\ ^{hjoif ferencei) ^ 0 
^ A if hjOif ferencei A \^{h£)if ferencei) ^ 0 

(iv) Signal emission for token resulting from transition firing 

For each token in the marking {mi, . . . , m^} of a place p with the upper 
bound k, the preset {ti, . . . ,tm}, and the postset create the 

following statements within the reaction function: 

Spi ^ y(hpi) if A A”=i“'Stj 

for each j € {1, . . . ,m} : Sp^ ^ Vt^ if St^ A ~^St^ 

Due to the first statement, the token remains unchanged, if no transition 
within the pre- and postset of p fires. The creation of tokens by firing of 
transition tj is realized with the other statements!! 

For the place Difference in the example the following statements are cre- 
ated hy this step: 

^Dif ference\ ^ ^ {^Dif ferencei') if ^T1 A Sj'2 A Sx3 
^Dif ferencei ^ ^ ^ i]^Should\) if ^T1 A “> Sx2 A “> Sxz 

(v) Storing of new marking 

For each token mi in the marking {mi, . . . , mfe} of a place p with the upper 
bound k create the following statements within the transition function: 

Ki ^ y(spi) if Spi- 

The new marking of the place Dif ference in the example (which may be its 
old marking) is set using the following statement within the transformation 
function. 

hoiff erencei i V (^S Dif f erencei) ’^Diff erencei • 

4 Partitioning 

In this section we describe an approach for the fine-granular partitioning of 
Pr/T-Nets. As already described in Section 13 this method is used as a preparti- 
tioning in the overall design flow. The step of clustering the partitions resulting 

® The demarking of places due to firing of transitions is realized implicitly without 
further effort, since a signal for a token will only be emitted, if the token is created 
or remains unchanged. 
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from prepartitioning into the units of the final implementation is left to the 
standard graph partitioning tool PARTY. By all means the prepartitioning aims 
at identifying model parts that are well-suited for parallel execution. Our main 
point of concern thereby is the handling of conflicts. Encapsulating them into 
partitions avoids that the conflict handling is distributed over several partitions. 
This could lead to communication overhead (cf. Figure 0 d), since different par- 
titions may be mapped to different nodes of the target architecture. Due to the 
handling of conflicts, our method ensures that instead each communication be- 
tween partitions can be realized with a simple send and forget mechanism (cf. 
Figure Et)- As can be seen in the figure, our algorithm cuts Pr/T-Nets at places. 
This is the natural way for partition Pr/T-Nets, since transitions are their ac- 
tive elements, whereas places are just data buffers. Cutting a place p stands 
for dividing the net into two partitions, that are disjoint except for p, which is 
duplicated and part of both partitions. 

Besides encapsulating conflicts the prepartitioning also aims at a fine-gra- 
nular partitioning in order to provide a wide scope for the graph partitioning 
tool used for clustering the resulting partitions. Unfortunately, a straightforward 
partitioning, that encapsulates conflicts, usually leads to large partitions. For this 
reason, the prepartitioning first performs a transformation of the given Petri Net, 
which does not change the semantics of the net, but facilitates the partitioning. 

In order to specify our ideas more precisely we first need some basic defini- 
tions. 

Let N be an extended Pr/T-Net and t a transition of N. 

(1) t is called exclusively triggered iff 

— The pre-set of t contains at most one place. 

— The post-set of each place in the pre-set of t contains one transition 
(namely t). 

(2) t is called exclusively producing iff 

— The post-set of t contains at most one place. 



partition 1 




partition 2 



a) conflict encapsulating 
partitioning 




b) overhead prone 
cutting of places 



Fig. 5. Partitioning alternatives for an input conflict 
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— The pre-set of each place in the post-set of t contains one transition 
(namely t). 

Each Pr/T-Net can easily be transformed into an equivalent one containing 
only transitions that are either exclusively triggered or exclusively producing. 
The transformation is done by splitting transitions as illustrated in Figure El In 




Fig. 6. Transition splitting 



this figure the transition t\ is split into the exclusively producing transition ti 
and the exclusively triggered transition ti". As can be seen, the annotations of 
ti remain unchanged at ti' . The edges between ti and ti" are annotated with 
a tuple containing the output variables of ti. 

By applying this transformation to each transition of a Pr/T-Net our prepar- 
titioning algorithm ensures, that no transition is involved in both an input con- 
flict and output conflict. Thereby it becomes easy to completely cover the net 
with well-formed subnets, which are characterized in the next definition. In the 
definition Part{N,T') denotes the subnet of a given net N, that contains the 
transitions T', the places within the pre-set and the post-set of these transi- 
tions, and the edges between these sets of nodes. The annotation of all subnet 
elements is left unchanged. 

Let N be an extended Pr/T-Net and T' a subset of its transitions. 

(1) The subnet Part{N,T') is called output conflict complete iff 

— Each transition t G T' is exclusively triggered. 

— For each place p within the post-set of T' the pre-set of p is a subset of 

T. 

(2) The subnet Part{N,T') is called input conflict complete iff 

— Each transition t G T' is exclusively producing. 

— For each place p within the pre-set of T' the post-set of p is a subset of 

r. 

For a Pr/T-Net containing only exclusively triggered and exclusively produc- 
ing transitions, a partitioning into subnets with the just defined characteristics 
is computed in a straightforward way. Until all transitions are assigned to a par- 
tition, the algorithm fetches one of the not processed transitions and builds a 
new partition with all (directly or indirectly) conflicting transitions. The result- 
ing well-formed subnets are the units produced by our prepartitioning step. An 
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example for applying our prepartitioning method to a Pr/T-Net is depicted in 
Figure 0 The transitions ti and ^2 of the original net have been split. In the 




resulting net partition 1 is an input conflict complete subnet whereas partition 
2 is output conflict complete. 

With the example the main advantage of our partitioning technique becomes 
visible. The interface places belonging to both partitions have the property that 
all incoming edges originate from the same partition and all outgoing edges lead 
to the same partition. This is generally true for interface places. If for instance a 
place p has incoming edges from different transitions these transitions will have 
an output conflict and are contained in the same partition. If on the other hand 
p has outgoing edges to different transitions these have an input conflict and 
again are contained in the same partition. Due to this property of the potential 
interface places, communication can be realized with a simple send and forget 
mechanism, as it was promised in the introduction of this section. As long as 
the partitions computed by our algorithm are considered as minimal ones it is 
guaranteed that no additional overhead for a complicated protocol is necessary 
to realize the communication between partitions. Furthermore, the structure of 
the partitions is quite simple. This is due to the fact that no partition contains 
both input conflicts and output conflicts and the partitions contain no inner 
places (there is no sequence of more than one transition). 



5 Pr/T— Net Engine 

In the following, we describe our approach for the execution of Pr/T-Nets using 
standard services of an operating system, which is part of the software implemen- 
tation of extended Pr/T-Nets on a network of interconnected microcontrollers 
and processors respectively. More precisely, the approach accompanies the step 
called Synthesis of Pr/T-Nets in Figure 0 Since it is part of the synthesis 
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stage within the overall design flow, the approach described in this section pre- 
sumes the steps performed in the second stage, in particular a partitioning of 
the specified model and a mapping of the partitions to nodes of the target ar- 
chitecture. 

A canonical strategy for generating a software implementation of a Pr/T-Net 
is as follows. For each transition, code for its execution is produced. Depending 
on the semantics of our underlying Petri Net model as well as on the structure 
of the specific model additional simulation code is produced. For each execution 
step, the latter code (simulator) selects one of the currently enabled transitions, 
initiates its execution and determines modifications on the set of enabled tran- 
sitions afterwards. Both the transition code and the simulation code are usually 
produced in one of the usual programming languages (e.g. C, C-I-+, Java). From 
this code a program for the respective execution platform is produced. 

The approach just described, which is well-established for the automatic gen- 
eration of simulation code from Petri Net models, leads to some overhead in the 
implementation of the system. Some functions performed for the execution of 
Pr/T-Nets are also inherently present in the operating system. An example is 
the scheduling of enabled transitions by the simulator and the scheduling of 
executable threads by the operating system respectively. This existence of two 
schedulers, which cannot be avoided in the area of workstations, is dispensable 
when implementing embedded systems. Here, the Pr/T-Net execution is the 
only task of the operating system on each microcontroller. Hence, the sched- 
uler can be used directly for scheduling transitions, reducing the overhead and 
thereby the costs of the execution. These considerations lead to the main idea of 
our software synthesis approach. The execution of Pr/T-Nets is integrated into 
the operating system, that is we realize a mapping of Pr/T-Net functionality 
onto OS services as depicted in Figure 0 . When realizing this idea, which was 
already proposed in mainly two questions arise: how may Pr/T-Net func- 
tionalities be mapped to OS services, and how have these services to be adapted 
for Pr/T-Net execution. 

The realization of the presented approach is based on our customizable library 
based real-time operating system kit Dreams. It seems to be a drawback that 
we are using a proprietary solution instead of a standard RTOS. But realizing 
our concepts is not possible based on a fixed RTOS kernel. We rather need a 
tool allowing for the flexible generation of an RTOS, that is customized to a 
specific application. However, a trend towards RTOS kits like Dreams seems to 
be established in the held of operating systems research, since several approaches 
emerged during the last years, e.g. i2n. 

Dreams I2ZI is a construction set for real-time operating systems. From 
the Dreams library an optimized and to the requests of the Pr/T-Net highly 
adapted RTOS can be derived by customization. After selection, configuration, 
and compilation of appropriate parts of Dreams an RTOS is created out of 
Dreams’s basic components. The thereby defined RTOS may support mem- 
ory management, device access, multithreading (scheduling), resource allocation, 
mutual exclusion, synchronization, and communication for embedded real-time 
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Fig. 8. Integration of Pr/T-Net Domain and OS Domain 



applications. Dreams is an object-oriented system. The basic components are 
written completely in C-| — h (except some very few lines in assembler for context 
switching). The class structure of Dreams is the basis for its customization. 
The configurable classes are defined in terms of so called Skeletons. For pro- 
viding configuration facilities C-|— I- was extended by a Skeleton Customization 
Language (SCL). Customization within Dreams is applied during compilation 
of a concrete execution platform (kernel- like virtual machine). Therefore SCL 
is translated into preprocessor commands which are finally handled in the com- 
pilation process. By applying customization, several class properties may be 
configured, for instance the base classes and the components of a class. 

In the following, we first deal with the question, how Pr/T-Net functionalities 
may be mapped to OS services, and afterwards how these services have to be 
adapted for Pr/T-Net execution. 

The active elements of Pr/T-Nets are the transitions, whereas in OS’s pro- 
cesses are the active units. Moreover, the lifecycle of a transition with being 
disabled, enabled, firing, and again enabled or disabled is similar to that of 
processes, which is depicted in Figure El Processes change their states between 
blocked (waiting for a message), ready (ready for execution because a message 
was received), and running (the process is executing). Similarly, the token flow 
in a Pr/T-Net can be compared with message passing in a process system. Thus 
we identify transitions with processes, tokens with messages and, consequently, 
places with mailboxes. 

The required global instance (simulator) that controls the execution order of 
transitions can be identified with the process scheduler (with its ready queue) 
of a multi-tasking operating system. Nevertheless, the operating system requires 
some special adaptions according to the special semantics of the (transition) pro- 
cess system. These adaptions especially include changes in the scheduler function 
which selects the next ready process for execution, the scheduling policy itself, 
and the handling of mailboxes. 

The execution cycle of a periodic process consuming and producing messages 
usually is as follows. A process is blocked when trying to receive a message from 
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Fig. 9. Assignment of transition and process states 



its incoming mailbox. Once a message arrives, the operating system sets the state 
of the process from blocked to ready. Therefore, the process is entered into the 
ready queue, from which the process scheduler fetches the processes to execute. 
Having been started by the scheduler, the process changes into the running state, 
consumes the available message, and produces output messages. These are sent 
to the mailboxes of other processes awaiting the data. After doing this the process 
starts a new cycle. The sending procedure is handled by the operating system, 
which means the data are inserted into the mailbox and the awaiting process is 
set to ready state. 

There are some differences to the execution cycle of transitions in Pr/T-Nets. 
In contrast to a process which is waiting for the arrival of a single message in 
its mailbox, a transition can wait for multiple tokens on several input places. 
Furthermore, a process has exclusive access to its mailbox, whereas token on a 
place may be consumed by several transitions. Finally, the receiving of a mes- 
sage is already a sufficient condition for a process to become ready. The tokens 
available for a transition must fulfill further conditions, before the transition can 
fire. 

To embrace these differences the following adaptions have to be implemented. 
First, mailboxes must be separated from the processes. Therefore, a mailbox ID 
must be specified in order to receive a message. Second, it must be possible 
to await for the reception of messages in different mailboxes. The state of the 
awaiting process may only change from blocked to ready if a message is available 
in every mailbox. Furthermore the message’s values must fulfill the enabling 
condition of the respective transition. In order to achieve this it must be possible 
to read the values contained in messages without consuming them, which is no 
standard functionality of operating systems. The step of reading and consuming 
all messages must be atomic because otherwise side effects violating the Petri 
Net model occur. This can easily and without any overhead be achieved if a 
run-to- completion or co-operative policy is applied to the scheduling mechanism 
instead of a preemptive version. 

All required changes have been implemented in an RTOS using Dreams. An 
appropriate configuration of the class library was created so that all prerequi- 
sites are fulfilled. In order to reveal the benefits of this approach we compared it 
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to the traditional implementation with a simulator process on top of an operat- 
ing system. The operating system was a preemptive ‘normal’ configured RTOS 
which uses semaphores for serialization. As an input for both implementations 
we used 41 Pr/T-Nets each consisting of one transition. They were connected 
in a cycle. The execution of both experiments was done on a single PowerPC 
processor running at 40 MHz. The results of their execution confirmed our ex- 
pectations. The time used for a transition cycle could be reduced from 526.38 /rs 
to 270.90 fj,s. The time used for the simulator and operating system to switch 
from one transition per net (process respectively) to the next one was reduced 
from 665.60 /rs to 215.40 fis. It should be stated that the reduction of execution 
time highly depends on the net structure. But experiments with other nets have 
shown that there is an overall benefit of using our approach. In the worst case 
the reduction only reached 30%. In the above mentioned experiment there is 
a reduction up to 59% for the execution of a distributed Pr/T-Net using our 
approach. 

6 Conclusion 

In this paper we presented our recent work towards a complete methodology 
for the Pr/T-Net based design of complex embedded real-time systems. We 
first described an approach for mapping Pr/T-Nets to synchronous languages. 
It enables us to exploit the numerous design methods and tools available for 
synchronous languages also for the design based on Pr/T-Nets. Secondly a tech- 
nique was presented to configure a standard graph partitioning tool in a way 
that Petri Net graphs are partitioned with respect to their execution semantics. 
This is valuable for instance in order to reduce the communication overhead in 
a distributed implementation of the partitioned system. Finally a new approach 
for a software implementation of high-level Petri Nets was presented. The main 
idea is to integrate the execution of a Pr/T-Net into an RTOS, which leads to 
an efficient implementation of a specified model on a target architecture of inter- 
connected microcontrollers. Up to now, we realized the basic implementations 
for our approaches, integrated them into our methodology, and made several 
qualitative investigations, whether the developments are valuable for our design 
methodology. Currently we are performing additional quantitative experiments 
in order to measure the effect of our techniques on factors like code-size or per- 
formance for several different models. In particular we thereby investigate the 
potential of some improvements we have in mind for the presented approaches. 
An intended enhancement of the prepartitioning method is for instance to take 
into consideration not only structural properties of the given Pr/T-Net models, 
but also information about their dynamic behavior, that can be provided by 
analysis methods. Similarly, in the future analysis results shall be used to con- 
figure the Pr/T-Net engine generated for the execution of a specified model as 
described in this paper. If for instance due to analysis results a place is known to 
be safe, a static mailbox could be generated for this place, which is much more 
efficient than the generic implementation of a mailbox. 
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In order to evaluate our methodology we have also studied several application 
examples for the last years. The methodology was for instance used for model- 
ing a series hybrid drive for vehicles as well as an anti blocking system for 
a car m- Our main focus within these projects was on modeling, simulation, 
and timing analysis. In m the modeling and analysis of a decentralized traf- 
fic management system using our methodology was presented. The analysis in 
particular included the verification of essential system properties like deadlock- 
freeness. More recently, we applied our tools for designing a control for a small 
mobile robot fS|. This robot, the so called C-LAB Pathfindeifl, is currently our 
main target platform. It is equipped with several standard microcontrollers and a 
communication system, that are widespreadly used in the area of embedded sys- 
tems. This platform enables us to evaluate our tools in the complete design flow 
reaching from modeling down to the implementation on embedded controllers. 
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Abstract. Rewriting logic (RL) is an extension of standard algebraic 
specification techniques which uses rewrite rules to model the dynamic 
behaviour of a system. In this paper we consider using RL and the asso- 
ciated support tool Elan as an environment for rapidly prototyping and 
analysing Petri nets with time. We link these algebraic tools to the exist- 
ing Petri net tool PEP which we use to provide a user-friendly front end 
to our framework. Our flexible approach allows the wide range of possible 
time extensions presented in the literature to be investigated and thus 
overcomes one of the major drawbacks of the current hardwired tools. 
We demonstrate our ideas by considering time Petri nets in which transi- 
tions are associated with a time interval within which they can fire. The 
flexibility of our approach is illustrated by modelling a range of semantic 
alternatives for time Petri nets taken from the literature. 



1 Introduction 

The theory of Petri nets (see for example d> CH] and m) provides a graphical 
notation with a formal mathematical semantics for modelling and reasoning 
about concurrent, distributed systems. One shortcoming of basic Petri nets is 
that they do not provide any insight into the time behaviour of systems. For 
real-time systems such as protocols with timeouts such timing information is 
extremely important (see for example m)- To address this a variety of Petri 
net extensions with time have been proposed in the literature (see the surveys 
g] and jE)). One problem however is the sheer number of different semantic 
interpretations that can be made: timing information can be assigned either 
to places, transitions, arcs or tokens; time durations or intervals can be used; 
specified time can represent a period of inhibition or a period when an activity 
can occur. The tools currently available are unable to cope with this wide range 
of choices and tend to be hardwired to one specific time approach. This makes 
investigating different time extensions extremely difficult. 

In this paper we consider using rewriting logic (RL) (see [El) and the associ- 
ated support tool Elan (see 0) to rapidly prototype and analyse Petri nets with 
time. RL is an algebraic formalism that extends the standard algebraic specifi- 
cation techniques by allowing the dynamic behaviour of systems to be modelled 
using rewrite rules. The idea in RL is to define the static and functional aspects 
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of a system using a standard algebraic specification and to then view terms over 
this specification as system states. Rewrite rules are then used to specify the 
dynamic transitions between these states. 

As a case study we consider prototyping and analysing time Petri nets in 
which an interval for firing is associated with each transition (see J3). We 
present an RL model for this time extension and consider how the support tool 
Elan can be used to simulate and analyse the RL model. We consider what 
it means for our model to be correct and provide a formal argument to show 
that the model we have given correctly simulates time Petri nets. Even for this 
standard approach to extending Petri nets with time there are a range of possible 
semantic interpretations that can be considered (see d). We illustrate the 
flexibility of our approach by considering how to adapt our model to represent 
some of these semantic alternatives. 

In order to make our approach practical and take advantage of existing Petri 
net tool support we have linked our approach with the widely used PEP tool 
(see 0). We use PEP as a front end to our framework, using it to create the 
initial Petri net graphs and to animate the firing sequences that result from our 
RL simulations using Elan. An overview of how we integrate the two tools Elan 
and PEP is given in Figure ^ This work illustrates how existing modelling tools 
can be combined to address new problems. 




Fig. 1. Integration of Elan and PEP 



The paper is organized as follows. In Section 2 we introduce the essential 
background definitions and results concerning RL and the support tool Elan. In 
Section 3 we introduce time Petri nets and consider how to model and analyse 
such nets using RL and Elan. This case study demonstrates how different seman- 
tic choices can be explored and we present a correctness argument to show that 



Rewriting Logic and Elan: Prototyping Tools for Petri Nets with Time 365 



our model correctly simulates a time Petri net. Finally in Section 4 we present 
some concluding remarks. 

We note that we assume the reader is familiar with the basic notation and 
definitions of Petri nets (see for example |TS] and ISI). 

2 Background: Rewriting Logic and Elan 

In this section we briefly present the background material on rewriting logic 
(RL) and its associated support tool Elan needed for this paper. We present a 
small illustrative example of how RL can be used to model simple P/T nets (see 

m- 

2.1 Rewriting Logic 

Rewriting logic (RL) is an extension of standard algebraic specification tech- 
niques which is able to model dynamic system behaviour. In RL the functional 
and static properties of a system are described by a standard algebraic specifi- 
cation, whereas the dynamic behaviour of the system is modelled using rewrite 
rules. Terms over a given signature S represent the global states of a system 
and rewrite rules model the dynamic transitions between these states. We now 
present a brief introduction to RL; for a more detailed introduction to RL see 

A standard algebraic specification (A, E) is a pair consisting of a signature 
S and a set of equations E over E and a set of variables X (see for example fTTi] 
and El)- In RL such a specification is seen as defining the states of a system 
with each equivalence class (with respect to the equations E) of terms \t]E being 
a particular state. We can then define rewrite rules t — > t' , for terms t, t' over E 
and variables X, which define the dynamic transitions that can occur between 
states. 

Definition 1. A Rewriting logic specification Spec = {E^E,R) is a triple con- 
sisting of: an algebraic signature E which defines a set of sorts S and a set of 
function symbols E; a set of equations E over E and a set of variables X; and 
a set of (labelled) rewrite rules R over E and X . □ 

As an example of an RL specification let us consider how we might model the 
simple Petri net depicted in Figure |3 (we follow the approach given in m and 
m)- The basic idea will be to model a token being present on a place pi by a 
constant p{i). A marking can then be modelled as a multi-set of these constants, 
for example the marking which contains two tokens on place pi, one token on 
place P3 and three tokens on place P4 could be represented by the term 

p(l) (g)p(l) (g)p(3) (g)p(4) ®p(4) ®p(4), 

where ® is the symbol used to denote multi-set union. Note that since places p2 
and ps don’t contain any tokens they do not appear in the multi-set. Each tran- 
sition will be represented by a rewrite rule which consumes tokens and produces 
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Fig. 2. A simple example of a Petri net 



new tokens. For example, transition would be modelled by the following rule: 

p(3)®p(4) — )> p(l) (g)p(2). 

The complete RL specification SpecPN = {E,E,R) for the Petri net 
depicted in Figure 0is defined below. 

(i) Signature E: Let S = {pnet} be a sort set and let S be an S'-sorted 
signature which contains the following function symbols: 

p(1),p(2),p(3),p(4),p(5) : pnet, 

empty : pnet, ® : pnet pnet — >■ pnet. 

(ii) Equations E: Define the set of equations E to contain the following three 
equations which axiomatize the properties of 0: 

ml 0 empty = ml, ml 0 m2 = m2 0 ml, 

ml 0 (m2 0 m3) = (ml 0 m2) 0 m3. 

Note that these equations allow the elements within a multi-set to move around 
and that the rewrite rules defined below will be applied modulo these equations. 

(iii) Rewrite rules R: Finally, define the set of rewrite rules R to contain the 
following rules which axiomatize the transitions in the Petri net: 

p{l) — )> p(3), p{2) — )> p(4), 

p(3)0p(4) — s>p(l)0p(2), p(3) — S>p(5). 

Let p(l) 0 p(2) be the multi-set representing the initial marking in Figure 
El Then the firing sequence t\ t 2 ta in the Petri net can be simulated by the 
following sequence of rewrites: 

p(l)0p(2) — )> p(3)0p(2) — )> p(3)0p(4) — )> p(l)0p(2). 
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2.2 The Support Tool Elan 

A number of advanced support tools have been developed to allow RL specifica- 
tions to be simulated and analysed including Maude (see the tutorial available 
from the Maude websit^), Elan pj and CafeObj |0|. These tools provide the 
means of performing fast AC rewriting, modular structuring mechanisms, and 
powerful user definable rewrite strategies. We have chosen to use the Elan sys- 
tem here (see 0, 0 and the tools web sit^) . This choice was motivated mainly 
by the author’s experience with the tool and the fact that Elan has a simple 
built-in strategy language. 

As an example of the syntax of Elan we formulate the RL specification 
presented in the previous section as an Elan module. Note that we use 
the ASCII symbol # to represent multi-set union E the empty multi-set 
and for generality replace the constants p(l), . . . ,p(5) by a function symbol 
p : int — ?> pnet. 



module PNet 

import global int ; end 
sort pnet ; end 
operators global 



E 

@ # (§ 
p(@) 



pnet ; 

(pnet pnet) pnet (AC) ; 
(int) pnet; 



end 

rules for pnet 
pn : pnet ; 



global 



[] 


pn # 


E => pn 


end 


[] 


p(l) 


=> p(3) 


end 


[] 


p(2) 


=> p(4) 


end 


[] 


p(3) 


# p(4) => p(l) # p(2) 


end 


[] 


p(4) 


=> p(5) 


end 



end 

end 



The symbol 0 is used to denote the position of an argument to a function 
symbol allowing a mix-fix notation. Each rule can be given an optional label 
by including text within the square brackets at the start of the rule (all the 
rules above are unlabelled). The equations of the RL specification have not 
been explicitly given in the Elan specification. Instead for reasons of efficiency 
the built-in associativity and commutativity facility of Elan has been used by 
flagging # as an (AC) operator. 

One key feature of Elan is that it provides a built-in strategy language 
for controlling the application of rewrite rules. It allows the user to specify 

^ http:/ /maude. csl.sri.com/tutorial/ 

^ http://elan.loria.fr/ 
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a general order in which rewrite rules are to be applied and the possible 
choices that can be made. The result of applying a strategy to a term is the 
set of all possible terms that can be produced according to the strategy. A 
strategy is said to fail if, and only if, it can not be applied (i.e. produces no 
results) . The following is a brief overview of Elan’s elementary strategy language'. 

(i) Basic strategy: 1 Any label used in a labelled rule [1] t => t ’ 
is a strategy. The result of applying a basic strategy 1 is the set of all terms 
that could result from one application of any rule labelled 1. The strategy is 
said to fail if, and only if, no rule labelled 1 can be applied. 

(ii) Concatenation strategy: sl;s2 The concatenation strategy allows 
two strategies si and s2 to be sequentially composed, i.e. s2 is applied to the 
results from si. The strategy fails if, and only if, either si or s2 fails. 

(hi) Don’t know strategy: dk(sl, . . . ,sn) The don’t know strategy takes 
a list of strategies s 1 , . . . , sn and returns the union of all possible sets of terms 
that can result from these strategies. This strategy fails if, and only if, all the 
strategies si , . . . , sn fail. 

(iv ) Don’t care strategy: dc(sl, . . . ,sn) The don’t care strategy takes 
a list of strategies si,. . .,sn and chooses nondeterministically to apply one of 
these strategies si which does not fail. Thus the strategy can only fail if all 
of sl,...,sn fail. The strategy dc one (si , . . . , sn) works in a similar way 
but chooses a single result term to return. One final variation is the strategy 
first (si, . . . ,sn) which applies the first successful strategy in the sequence 
si , . . . , sn. 

(v) Iterative strategies: repeat* (s) The repeat* (s) strategy repeatedly 
applies s, zero or more times, until the strategy s fails. It returns the last set of 
results produced before the strategy s failed. The repeat* (s) version works in 
a similar way but insists that s must be successfully applied at least once. 

Elan also provides the so called defined strategy language which extends the 
above elementary language by allowing recursive strategies. For a detailed dis- 
cussion of Elan’s strategy language see [Zj . Examples of the application of Elan’s 
strategy languages will be presented in the case study that follows. 



3 Modelling Time Petri Nets Using RL 

In this section we consider modelling and analysing time Petri nets, a time 
extension in which transitions are associated with firing intervals. We begin by 
introducing the general ideas and basic definitions of time Petri nets. We then 
consider how to model time Petri nets using RL and their analysis using the 
Elan tool. We conclude by presenting a correctness argument for our RL model 
and by demonstrating the flexibility of our approach by modelling a range of 
semantic alternatives for time Petri nets. 
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3.1 Time Petri Nets 

Time Petri nets were introduced in m and have since become one of the most 
popular Petri net time extensions (see for example |21 and P). Time Petri nets 
are based on associating a firing interval [e, 1 ] with each transition, where e is 
referred to as the earliest firing time and I is referred to as the latest firing time. 
The idea is that a transition is only allowed to fire if it has been continuously 
enabled for at least e units of time and is forced to fire once it has been enabled 
for I units of time (unless a conflicting transition fires first). Firing a transition 
(i.e. consuming enabling tokens and producing output tokens) is assumed to be 
instantaneous. 




Fig. 3. Example of a time Petri net 



As an example consider the time Petri net depicted in Figure 01 In this 
example both ti and t2 are enabled but only transition <2 can fire since its 
earliest firing time is zero. Transition ti needs to be enabled for at least 1 clock 
cycle before it can fire. Both transitions will be forced to fire when they have 
been enabled for 2 clock cycles. 

For simplicity, we assume we are dealing with discrete intervals (see f^) and 
let I = {[e,/] I e G N,Z G NU {00}, e < 1 }. Note that a latest firing time of 00 
indicates that a transition will never be forced to fire. We can formally define a 
time Petri net as follows. 

Definition 2. A Time Petri Net TPN = {P,T, F,mo, SI) is a 5 -tuple where: 
P = {pi, P2 , . • . tPu} is a finite set of places; 

T = {ti, t2, ■ ■ ■ , tk} is a finite set of transitions, such that P C\T = %; 

F C (P X T) U {T X P) is a set of ares (called a flow relation); 
mo : P — ^ N is the initial marking of the Petri net; and 
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SI : T ^ 1 is a static interval function that assigns a firing interval to each 
transition. □ 

Let TPN = {P,T, F,mo, SI) be a time Petri net. When TPN is clear from 
the context we let Eft{f) and Lftft) denote the earliest and latest firing times 
respectively for any transition t G T. A state (to, c) in TPN is a pair consisting 
of a marking to : P — >■ N and a clock function c : T — ?► N indicating the state 
of each transition’s local clock. For each transition t G T its local clock records 
the amount of time 0 < c{t) < Lft(t) that t has been continuously enabled. We 
let States(TPN) denote the set of all possible states in TPN. For any transition 
t G T, we let *t = {p \ (p, t) G F} denote the set of input places to t and 
t» = {p \ ft,p) G F} denote the set of output places to t. A transition t G T is 
said to be enabled in a state (to, c) if, and only if, m{p) > 0, for each p G »t. We 
let Enabled (m) denote the set of all enabled transitions in a state (to, c). 

Next we define the conditions necessary for a transition to be able to fire. 

Definition 3. A transition t G T is fireable in state (to, c) after delay d if and 
only if 

(i) t is enabled in {m,c); 

(ii) Eft{t) < c(t) + d < Lft{t); and 

(iii) for all other enabled transitions t' G Enabled{m) we have c{t') + d < Lft(t'). 

□ 

We denote by Eireable{{m, c), d) the set of all transitions that may be fired 
in a state (to, c) with delay d. We can define what happens to a state when a 
transition fires as follows. 

Definition 4. Given a transition t G Eireable{{m, c), d) we can fire t after a de- 
lay d to produce a new state (m! ,c'), denoted {m,c)[t,d){m' ^d), which is defined 
as follows: 

m' = m" Lit • and m" = m\»t; 

\ \ c(ti) + d, ifti G Enabled{m") and ti yf t; 

* (0, otherwise; 

for all ti G T. □ 

Note that in the above definition the new tokens produced by a transition are 
discounted when considering whether or not to reset a transition’s local clock 
(this is the reason for defining the intermediate marking m"). In other words, 
we are able to distinguish newly produced tokens (see 0)- Other semantic ap- 
proaches exist for resetting local clocks (see ^S|) and we will consider modelling 
some of these in Section 3.4. 

A firing sequence for a time Petri net is a sequence of firing steps (i.e. pairs 
of transitions and delay values) : 

O’ = (t/j , di), (t/2 , <^ 2 ), . . . , (t/j, , dfc), 

where t/. G T and di is some delay. A firing sequence a is said to be fireable from 
a state si if, and only if, there exist states S 2 , ■ . . , s^+i such that Si[tf^ , di)si+i, 
for i = 1, ... ,k. 
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3.2 Modelling Time Petri Nets Using RL 

We now consider how to construct an RL model of a time Petri net that cor- 
rectly simulates its behaviour. We build on the multi-set approach introduced in 
Section 2 and introduce new terms t(i)[n, e, 1] to represent transitions, where e is 
the earliest firing time, I the latest firing time and n is the amount of time a tran- 
sition has been continuously enabled. For example, the initial state of the time 
Petri net depicted in Figure 0 would be represented by the following RL term: 

p{l) ® p{2) 0 f(l) [0, 1, 2] 0 t{2) [0, 0, 2] 0 t{3) [0, 0, 1] 0 t(4) [0, 1,1]. 

In order to allow an in-depth analysis of a time Petri net we enhance this 
term structure for a state to include information about what action resulted in 
the state: 

( pn )[is], 

where pn is a multi-set representing the current state (see above example) and 
ts is a multi-set recording the action that produced the state. 

Next we define the rewrite rules that will be used to model the dynamic 
behaviour of a time Petri net. In our RL model we choose to simulate time 
progression by single clock ticks. We show in Section 3.3 that this approach is 
equivalent to allowing arbitrary time progression as defined in Definition 0 Let 
n,e,l : nat and pn,ts : pnet be variables. For each transition ti £ T with input 
places Pinn ■ ■ ■ ,PiTij and output places po^, ■ ■ ■ ,Pok we have four distinct types 
of labelled rules: 

(1) A must fire rule that forces a transition to fire when it has reached 
its latest firing time: 

[mr] (p{ini) 0 • • • 0 p{inj) 0 t{i) [I, e, 1] 0 pn) [ts] — >• 

(t(f)[0, e, 1] 0 N{p{oi)) 0 • • • 0 N{p{ok)) 0pn)[t(f) 0 ts] 

(2) A firing rule that allows a transition to choose to fire if it is within 
its firing interval: 

[/’’] (p(^i) 0 • • • 0 p{irij) 0 t{i)[n, e, 1] 0pn)[ts] — >■ 

(t(f)[0, e, Z] 0fV(p(oi)) 0- • -0iV(p(ofe)) 0pn)[t(i) 0ts] if n > e A n < I 

(3) A time progression rule to allow an enabled transition to progress in 
time: 

[tr] {p{ini) 0 • • • 0 pfinj) 0 t{i)[n, e, 1] 0pn)[ts] — ^ 

(p(mi) 0 • • • ®p{inj) 0 D{t{i)[n + 1, e, 1]) ^ pn)[D{t{i)) 0 ts] 

(4) Finally we have an enabling rule which distinguishes all enabled tran- 
sitions (ignoring newly produced tokens): 

[sr] (p(mi) 0 • • • 0 pfinj) 0 t(i) [n, e, 1] 0 pn) [ts] — >■ 

{p{ini) 0 • • • ®p{inj) 0 Zt(t(i)[n, e, 1]) 0pn)[ts] 
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The [fr] and [mr] rules allow a transition to fire if it is within its firing 
interval. The new tokens produced are distinguished by a marker N which allows 
them to be temporarily ignored when considering whether or not a transition 
is enabled (as required by the semantics defined in Definition 0). Note the use 
of the variable pn in the above rules which is used to represent the remaining 
part of a Petri net state which we are not currently interested in. The distinction 
between a can fire [fr] and a must fire [mr] rule is needed to allow an appropriate 
rewrite strategy to be formulated (see below) to capture the semantics of a time 
Petri net. As long as no [mr] rule can be applied the [tr] rule can be used to 
allow time to progress by one unit. These rules use markers D to synchronize 
time progression and prevent multiple clock ticks. The enabling rules [sr] are 
used to distinguish those transitions which are still enabled after a transition 
has fired (ignoring newly produced tokens). All transition terms which are not 
surrounded by a D marker will have their local clocks reset to zero after a state 
step by a reset function. 

We note that the rewrite theory defined above does not on its own capture 
the intended semantics of a time Petri net as we have defined it. In order to 
do this we will combine the above foundation rewrite theory with a rewriting 
strategy. We have chosen to take this approach (rather than producing a hard- 
coded rewrite theory) since it allows us to understand and investigate changes to 
our time Petri net semantics by simply changing our high-level rewrite strategy 
(see Section 3.4 for an illustration of this point). 

As an example of the above rewrite rules, consider the following partial Elan 
specification for the time Petri net in Figure El (for brevity we have only included 
the rules for transitions tl and t3). The specification is built on top of a mod- 
ule basic which specifies the basic components needed such as multi-sets and 
place/transition terms. 



module timePN 



import global basic; end 

rules for state 

pn, pn2, ts : pnet ; 

m, e, 1 ; int; 

global 

//** Rules for Transition 1 **// 

[mr] <p(l)#t(l) [l,e,l]#pn>[ts] => 

<t(l) [0,e,l]#N(p(3))#pn>[t(l)#ts] end 
[fr] <p(l)#t(l) [m,e,l]#pn>[ts] => 

<t(l) [0,e,l]#N(p(3))#pn>[t(l)#ts] if m>=e aind m<l 
[tr] <p(l)#t(l) [m,e,l]#pn>[ts] => 

<D(t (1) [m+1 , e ,1] )#p(l)#pn> [D(t (1) )#ts] end 
[sr] <p(l)#t(l) [m,e,l]#pn>[ts] => 

<D(t(l) [m,e,l] )#p(l)#pn>[ts] end 



end 
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//** Rules for Transition 3 **// 

[mr] <p(3)#p(4)#t(3) [l,e,l]#pn>[ts] => 

<t(3) [0,e,l]#N(p(l))#N(p(2))#pn>[t(3)#ts] end 
[fr] <p(3)#p(4)#t(3) [m,e,l]#pn>[ts] => 

<t (3) [0 , e , 1] #N (p ( 1) ) #N (p (2) ) #pn> [t (3) #ts] 
if m>=e and m<l end 
[tr] <p(3)#p(4)#t(3) [m,e,l]#pn>[ts] => 

<D (t (3) [m+1 , e , 1] ) #p (3) #p (4) #pn> [D (t (3) ) #ts] end 

[sr] <p(3)#p(4)#t(3) [m,e,l]#pn>[ts] => 

<D(t(3) [m,e,l] )#p(3)#p(4)#pn> [ts] end 

end 

end 

Given a term representing a state in a time Petri net we can either choose to 
fire a transition or allow time to progress by one unit. However, time progression 
is not allowed if there exists a transition which has reached its latest firing time; 
in this case we are forced to fire such a transition. In order to correctly model the 
semantics outlined above we define a rewrite strategy step which will control 
the application of the rewrite rules. This strategy will be used to represent a 
single state step in a time Petri net. We will see in Section 3.4 that alternative 
time semantics can be easily incorporated into our model by simple changes to 
the step strategy. 

strategies for state 



implicit 




[] 


fire => fr;repeat*(dc one(sr)) 


end 


[] 


must => mr; repeat* (dc one(sr)) 


end 


[] 


time => repeat+(dc one(tr)) 


end 


[] 

end 


step => dkCfire, first (must, time) ) 


end 


The rewrite strategy f ire is used to choose non-deterministically a transition 



to fire which is enabled and within its firing interval. It applies the [fr] rule 
to produce a set of possible terms and then applies the strategy repeat* (dc 
one(sr)) to these results to mark all those transitions which are still enabled 
(the other transitions will have their local clocks reset). The strategy must is 
similar to fire but chooses transitions to fire which have reached their latest 
firing time. The time progression strategy time performs one complete time step, 
incrementing the local clocks of all enabled transitions by one unit. These three 
strategies are combined into a strategy step which calculates the set of possible 
next states. It uses the strategy first (must, time) to ensure that time can 
only progress if no transition is at its latest firing time (i.e. it tries to apply must 
but if this fails then it applies time). 

After applying step we “clean up” the resulting state term by applying a 
reset function which removes all N and D markers, and resets local clocks to 



zero: 
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[] reset (D (t (n) [m,e,l] )) => t(n)[m,e,l] end 

[] reset (t (n) [m,e,l] ) => t(n)[0,e,l] end 

[] reset (N(p(n) ) ) => p(n) end 

[] reset (p(n)) => p(n) end 

[] reset (E) => E end 

[] reset (pn # pn2) => reset (pn) # reset (pn2) end 

where we have the variables pn , pn2 ; pnet and m , e , 1 : int . 

Thus a state step in our RL model, denoted s — > s' using step, involves 



applying the strategy step and then the function reset. Given we can now 
define a state step it is interesting to consider how to explore the resulting state 
space. We begin by defining the exit states we wish to find by specifying exit 
conditions as rewrite rules, e.g. 

[exit] <p(4) # pn>[ts] => <p(4) # pn>[ts] 

Place P4 contains at least one token; 

[exit] <pn>[t(4) # ts] => <pn>[t(4) # ts] 

Transition T4 has Bred; 

[exit] <pn>[ts] => <pn>[ts] if length(pn) > 10 
The size of the state (tokens plus transitions) has exceeded 10. 

A state is said to be an exit state if, and only if, one of the exit rules 
can be successfully applied to it. Using the defined strategy language of Elan 
(see |E|) we can then define various search strategies that look for exit states. 
For example, we could define a strategy search which given an initial state 
performs a depth first search (possibly bounded) until it finds an exit state. 
This strategy can be generalized to a strategy searchall which finds all exit 
states. (For a detailed discussion of search strategies see |S| and |2D!). 

As an example, consider using Elan and the strategy search to find a firing 
sequence for the time Petri net in Figure Elwhich results in a state with a token 
on place p5, i.e. we have the exit rule: 

[exit] <p(5) # pn>[ts] => <p(5) # pn>[ts] end 

The following is an excerpt from the Elan tool: 

[] start with term : 

[search] <p(l)#p(2)#t (1) [0,l,2]#t(2) [0,0,2]#t(3) [0,0,1] 

#t(4) [0,1,1]>[E] 

[] result term: 

(<p(4)#p(5)#t(3) [0,0,l]#t(4) [0,l,l]#t(2) [0,0,2]#t(D [0,1, 2]> 
[t(4)]).([D(t(4))#D(t(3))]).([t(l)]).([D(t(l))]).([t(2)]). 
([t(3)]).([t(l)]).([D(t(l))]).([t(2)]).([E]) 



[] end 
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The above result term indicates one possible firing sequence that produces an 
exit state from the initial marking. It has been displayed using a display strategy 
(see EDI) that outputs only the final state reached, and the steps involved in 
reaching that state (i.e. [t(i)] indicates transition ti has fired and [D(t(i)) 
# D(t(k))] indicates that transitions ti and t^ have progressed by one unit in 
time). The above term represents a firing sequence involving nine state steps 
(the initial [E] represents the initial state). It corresponds to the following time 
Petri net firing sequence: 

(<2,0),(ti,l),(f3,0),(t2,0),(fi,l),(t4,l). 

3.3 Correctness Argument 

In this section we consider the correctness of our RL model (rewrite theory plus 
step strategy) for time Petri nets. We show that our model is both sound (each 
step in our RL model has a corresponding state step in the time Petri net) and 
complete (every state step possible in a time Petri net has a corresponding step 
in our RL model). 

In the sequel let TPN = {P, T, F, mo, SI) be an arbitrary time Petri net and 
let RL(TPN) be the corresponding RL model as defined in Section 3.2. 

It turns out that not all terms of type pnet in RL{TPN) represent valid 
states in TPN. Thus we define ValidRL(TPN), the set of all state terms s in 
RL{TPN) such that: (1) if p(i) in s then pi G P; and (2) if t{i)[n,e,l] in s then 
ti G T, [e,l] = SI{ti), and 0 < n < L If s S ValidRL(TPN) then we say s is a 
valid state term for TPN. 

Proposition 5. The rewrite strategy step is well-defined with respect to valid 
state terms, i.e. for any s G ValidRL(TPN), if s — >■ s' using step then s' G 
ValidRL(TPN). 

Proof. Suppose s G ValidRL(TPN) and s — >■ s' using step. By definition of the 
strategy step it follows there are three cases to consider: 

Case (1): The strategy fire was used (followed by the reset function). The 
application of a [f r] rule simply consumes some token terms and produces some 
new token terms which must by definition correspond to places in TPN. The 
application of the [sr] rules taken together with the reset function will just 
reset the local clock of some transition terms to zero. Thus if the original state 
term s was valid then the resulting state term s' after applying fire will also 
be valid. 

Case (2): The strategy must was used (followed by the reset function). Similar 
argument to above based on the [mr] rules. 

Case (3): The strategy must failed and so the strategy time was used (followed 
by the reset function). If the must strategy fails then we know there are no 
enabled transition terms in s which have reached their latest firing time. This 
means that performing a time step, that is incrementing by one the local clock 
of all enabled transitions (which is exactly what the strategy time does), will 
not result in any local clock going past its transitions latest firing time. Thus 
the resulting state term s' must be valid. □ 
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Recall that our model is said to be sound if, and only if, each step in our 
RL model has a corresponding state step in the time Petri net; and complete 
if, and only if, every state step possible in a time Petri net has a corresponding 
(sequence of) step(s) in our RL model. We can now define what we mean by 
correctness: a RL model is correct with respect to a time Petri net if, and only 
if, it is both sound and complete with respect to the time Petri net. 

We show that for any time Petri net TPN, the corresponding RL model 
RL(TPN) is correct. We begin our correctness proof by defining a mapping 
between states of a time Petri net and valid state terms in the corresponding 
RL model as follows. 

Definition 6. The term mapping a : States{TPN) ValidRL{TPN) is de- 
fined on each state {m,c) to return the multiset term a(rn,c) which contains 
only the following: 

(i) for each place pi € P, the multi-set term a{m,c) will contain m{pi) occur- 
rences of the place termp{i); 

(ii) for each transition tt G T, the multi-set term a{m,c) will contain the tran- 
sition term t{i)[c{ti), Eft{ti), Lft{ti)]. □ 

By the definition of ValidRL(TPN) it is straightforward to show that cr 
is a well-defined, biiective mapping with an inverse cr~^ : ValidRLf TPN) s 
States (TPN). 

Suppose a state step (m,c)lt,d)(m',c') can occur in a time Petri net. Then 
observe that we can break such a state step down into a series of intermediate 
steps consisting of a series of time ticks which allow the delay d to pass, followed 
by the transition t firing. In other words we can represent (m, c)[t, d)(m' , c') by 
the following sequence of events: 

(to, c)[tick)(m, Ci)[tick)(m, C2)[tick) ■ ■ ■ [tick)(m, Cd)[t)(m', c'), 

where (m,Ci)[tick)(m,Ci+i) represents a clock tick (i.e. increments the local 
clocks of all enabled transitions by one unit, resetting all other local clocks to 
zero) and (m,Cd)[t)(m' ,Cd) fires transition t and resets to zero the local clocks 
of all transitions which are not enabled (i.e. corresponds to (m, Cd)[t,0)(m' , c')) . 

Using the above observation we can show that for any time Petri net TPN, 
the corresponding RL model RL(TPN) is sound and complete. 

Theorem 7. (Soundness) Let s G ValidRL(TPN) be any state term. If s S s' 
using the strategy step then either a~^(s)[tick)a~^{s') or there must exist a 
transition t G T such that CT“^(s)[f)(T“^(s'), i.e. the diagram in Figure^(a) 
commutes. 

Proof. Suppose s G ValidRL(TPN) and s S s' using step. By definition of the 
strategies step it follows that there are three cases to consider: 

Case (1): The strategy fire was used (followed by the reset function). This 
strategy begins by applying a [fr] rule which corresponds to some transition, 
say t G T. We will show that the result of this strategy s' corresponds to the 
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Fig. 4. (a) Soundness; (b) Completeness. 



result of (T“^(s)[f)(T“^(s'). Clearly if this rule can be applied then it follows by 
definition that the local clock for t must be within the Eft{t) and Lft(t) firing 
times and that for each pi S •t there must exist a token term p(i) G s. Thus it 
follows that the transition t must be fireable in state cr“^(s). Applying the [fr] 
rule will result in the token terms corresponding to the input places •t being 
removed and token terms corresponding to the output places being produced. 
But this is exactly what will happen to the marking in state cr“^(s) when t is 
fired. Finally, the strategy fire will use the [sr] rules and reset function to 
set all unenabled transition clocks (discounting the newly produced token terms) 
to zero. Again, by definition of firing a transition (see Definition EJ this is what 
happens when t is fired. 

Case (2): The strategy must was used (followed by the reset function). Similar 
argument to above using [mr] rules. 

Case (3): The strategy must failed and so the strategy time was used (followed 
by the reset function). If the must strategy fails then we know there are no 
enabled transition terms in s which have reached their latest firing time. This 
means that the strategy time will be applied and a time step will be performed, 
i.e. the local clocks of all enabled transitions will be incremented by one and all 
other local clocks will be reset. Note that allowing time to progress is a valid 
action since no transition has reached its latest firing time. In this case it will 
be valid to apply the tick action to the state cr“^(s) which performs exactly the 
time update detailed above. Thus we will have a~^{s)[tick)a~^(s') as required. 

□ 



Theorem 8. (Completeness) Let (m,c) G States(TPN) be any state in TPN . 
If (m,c)[t,d)(m' ,P) for some transition t G T and some duration d, then it 
follows that a{m, c) — >■ cr(m', c') by a series of applications of the strategy step, 
i.e. the diagram in Figure^(b) commutes. 

Proof. Suppose that (m, c)[t, d)(m' , c') for some transition t G T and some du- 
ration d. Then by the observation above we can represent this by the following 
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sequence of events: 

(to, c)[tick){m, ci)[tick)(m, C 2 )[tick) ■ ■ ■ [Uck){m, Cd)[t){m', c'). 

Thus it suffices to show that the following two facts hold. 

Fact 1: If (TO,c)[tzcfc)(TO,c') then it follows that a{m,c) — >■ a{m,c') using the 
strategy step. 

Proof. Suppose that {m,c)[tick){m,c'). Then it follows that for all ti G T we 
have c{ti) < Lft{ti) (otherwise the tick event would not be valid). Therefore 
we know by definition of a that no [mr] rule can be applied to the state term 
(t(to, c) and so the strategy must will fail. This means the time strategy can 
be applied which (along with reset function) will increment by one the local 
clocks of all enabled transition terms in ct(to, c), resetting all unenabled transition 
clocks to zero. But this is exactly what the tick event will do. Thus we have 
a{m,c) — >■ ct(to, c') as required. 

Fact 2: If (to, c)[t){m', c'), for some t € T, then cr(m, c) — >■ cr(m', c') using step. 

Proof. Suppose (to, c)[<:)(to', c'). Then we have two cases to consider. 

(i) Suppose c{t) < Lft{t). By definition of RL{TPN) there is a [fr] rule for 
transition t. Given that t is fireable (i.e. enabled in to and c{t) > Eftft)) it 
follows that its corresponding [fr] rule can be applied to the state term ct(to, c) 
as part of the strategy f ire and that this will remove the enabling token terms 
p{i), for each pi G and add the new token terms p{i) to ( t ( to , c), for each 
Pi G t». Applying the [sr] rules and reset function will then reset the local 
clocks of all unenabled transitions (ignoring the newly produced token terms). 
But this corresponds to the event of firing t to produce (to', c') and thus we have 
cr(TO, c) — >■ u{m' , d). 

(ii) Suppose c{f) = Lft{t). The proof follows along similar lines to (i) above but 

uses the [mr] rules. □ 

The above two theorems prove that for any time Petri TPN, the correspond- 
ing RL model RL{TPN) is correct with respect to TPN. 

Theorem 9. (Correctness) Given any time Petri net TPN we have that 
RL{TPN) is correct RL model with respect to TPN. 

Proof. Follows directly from definition of correctness and Theorems [7|and0 □ 

3.4 Modelling Alternative Semantic Choices 

In the preceding sections we have constructed an RL model for the standard 
semantic interpretation of time Petri nets (see |2| and P). In this section we 
demonstrate the flexibility of our approach by considering some alternative 
semantic choices and showing how our RL model can be easily adapted to 
represent these alternatives. We note that for each of these new semantics a 
corresponding correctness proof along the lines of that given in Section 3.3 
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would be needed to ensure the new RL model is correct. For brevity we omit 
these proofs here and leave them as an instructive exercise for the reader. 

(1) Giving priority to latest firing transitions. 

One possible change to the standard semantics is to give priority to those 
transitions which have reached their latest firing times. This would mean that a 
transition which is within its firing interval but not yet at its latest firing time 
would only be allowed to fire if no transition had reached its latest firing time. 
Such a change in semantics is easy to represent in our model; we simply change 
the step strategy to reflect this change in priority as follows: 

[] step => first (must, dk(fire, time) ) end 

The strategy step now reflects the fact that we start by considering only the 
must fire transitions. If the strategy must fails then clearly no transition has 
reached its latest firing time; in such a case we can either choose to fire a 
transition or perform a time step. 

(2) Resetting local clocks of conflicting transitions. 

In pni an alternative semantic approach is proposed for resetting the local 
clocks of conflicting transitions. The idea is that when a transition t fires any 
transition which shares an input place with t has its local clock reset to zero. 
For example, in the time Petri net depicted in Figure El if transition t4 fires 
then the local clock for transition t3 will be reset. This alternative semantics is 
straightforward to incorporate into our RL model for time Petri nets; we simple 
change the firing rules ( [fr] and [mr] ) so that they include all transition 
terms for conflicting transitions and then reset their clocks when the transition 
fires. As an illustrative example the following would be the new firing rules for 
transition M in the time Petri net depicted in Figure H 

[mr] <p(3) # t(4)[l,e,l] # t(3) [n,e’ ,1’] # pn>[ts] => 

<t(4)[0,e,l] # t(3) [0,e’ ,1’] # N(p(5)) # pn>[t(4)#ts] end 
[fr] <p(3) # t(4)[m,e,l] # t(3) [n,e’ ,1’] # pn>[ts] => 

<t(4)[0,e,l] # t(3) [0,e’ ,1’] # N(p(5)) # pn>[t(4)#ts] 

if m >= e aind m < 1 end 

(3) Maximal step semantics. 

The final alternative we consider is imposing a maximal step semantics on time 
Petri nets: at each step a maximal set of concurrent fireable transitions are 
allowed to fire m- In practice, the implications of such a semantics would rep- 
resent a major restriction; transitions would be forced to fire whenever they 
reach their earliest firing time, which contradicts assigning a firing interval to 
a transition. However, we consider the maximal step semantics as an illustra- 
tive example of the flexibility of our framework. To model the maximal step 
semantics we need only redefine the fire and step strategies; the time strategy 
remains the same and of course the must strategy is no longer required. 



[] fire => repeat+(dk(fr,mr)) ; repeat* (dc one(sr)) 
[] step => first (fire, time) 



end 

end 
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4 Conclusions 

In this paper we have considered using RL and the support tool Elan to model 
and analyse time Petri nets. We discussed the important issue of correctness and 
showed that our RL model correctly simulates a time Petri net. We demonstrated 
the flexibility of our approach by considering several alternative semantics for 
time Petri nets. We showed that these alternatives could be straightforwardly 
represented in our model by making small adjustments either to the step strat- 
egy or to the basic RL rules. This case study illustrates how RL and Elan can 
be used to prototype and analyse Petri net extensions with time. Furthermore, 
by coupling our approach with an existing Petri net tool such as PEP we have 
shown how several different tools can be combined to produce a practical and 
usable new approach. 

We have performed a similar analysis to the one presented here using timed 
Petri nets (see [TZI and 1^), in which a duration is associated with transitions. 
This work is presented in m- 

The aim of this work has been to: (i) provide a flexible formal framework for 
defining semantic models of Petri net extensions with time which are succinct 
and easily communicated; (ii) provide tools to allow a range of different Petri net 
extensions with time to be simulated and practically investigated, thus overcom- 
ing the problems associated with the current hardwired tools. We note that we 
are not proposing that our approach should replace efficient hardwired tools for 
large scale verification tasks. We see our approach as allowing a tool developer 
to formally specify the semantics they have chosen and to expediently prototype 
their ideas before committing themselves to the development of a practical tool. 
Our framework could also be seen as a design aid, allowing a developer to test 
out their ideas before committing to a particular Petri net time model. 

In future work we intend to investigate extending our approach to prototyp- 
ing verification algorithms, such as the finite prefix construction. We also intend 
to perform a variety of verification case studies to illustrate the application of 
our methods and investigate its limitations. 
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Abstract. We introduce partial S-invariants of Petri nets, which can 
help to determine invariants and to prove safety if large nets are built 
from smaller ones using parallel composition with synchronous commu- 
nication. Partial S-invariants can support compositional reduction and, 
in particular, the hxed-point approach, used for verifying infinite param- 
eterized families of concurrent systems. With partial S-invariants and 
the fixed-point approach we prove the correctness of two solutions to the 
MUTEX-problem based on token rings; for this, we only have to prove 
liveness of a simplified version due to previous results. 



1 Introduction 

For the verification of infinite parameterized families of concurrent systems the 
so-called behavioural fixed-point approach is advocated in m The members of 
such families are composed of an increasing number of components. If one can 
show that the composition of, say, two of these components is equivalent to just 
one, then one can reduce each member of the family to an equivalent small one, 
and it suffices to prove this small system correct. This approach is a specific case 
of compositional reduction, for which the equivalence under consideration has 
to be a congruence for composition - and, of course, it must be strong enough 
to support verification. We will model systems with Petri nets, and we will use 
parallel composition with synchronization of common actions, which corresponds 
to merging transitions; also renaming and hiding of actions are important. 

In this paper, we will apply the fixed-point approach to two token-ring based 
solutions for the problem of mutual exclusion (MUTEX). Such a ring has a 
component for each user that needs access to the shared resource, and each 
component has a separate interface that allows the user to request access, enter 
its critical section - in which the resource is used and leave this section again. 
To verify such a ring, one has to show the safety property that there are never 
two users in their critical sections at the same time, i.e. that enter- and leave- 
actions alternate properly, and one has to show the liveness property that to each 
requesting user access is granted eventually. Modelling token-rings with Petri 
nets, MUTEX-safety is usually easy to show applying an S-invariant. Hence, we 
want to apply the fixed-point approach to prove MUTEX-liveness. 

An immediate problem is that each ring component has an external interface 
to its user with actions of its own, and thus two components can hardly be 
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equivalent to one. In 0, we have shown that under some symmetry assumption 
it is sufficient to check MUTEX-liveness for one user and hide the other user- 
actions from the interface. In the modified net, only the actions of one user are 
visible and two components may be equivalent to one; hence, and this is the 
first point to be made, our symmetry result opens the door for applying the 
fixed-point approach. 

In fact, one encounters another problem: the composition of two components 
may not be equivalent to one, because in isolation these nets exhibit behaviour 
that is not possible in the complete ring. To show the equivalence, one has to 
restrict their behaviour in a suitable way; this is somewhat similar e.g. to the 
interface descriptions presented in 0 . The main contribution of this paper is the 
development of what we call partial S-invariants in order to restrict the behaviour 
suitably. We show how partial S-invariants can support compositional reduction 
in general, and we will apply them specifically in the fixed-point approach. 

Partial S-invariants of components can also be used to obtain S-invariants of 
composed systems. Another notion of partial S-invariants - for a setting where 
nets are composed by merging places - has been defined in 0 where it has also 
been shown how to combine these to obtain S-invariants of composed systems. 

The equivalence we use is based on fairness in the sense of the progress 
assumption, i.e. weak fairness. In one can find such a semantics that is 
compositional for safe nets. Here, we have to deal with components of a safe 
net that are not safe themselves, and we show that compositionality for general 
nets can be achieved very similarly to if one uses a suitable generalization 
of weak fairness from safe to general S/T-nets. Since we are really interested in 
safe nets, we are free to choose any generalization that is convenient. 

The Petri nets of this paper may have so-called read arcs, which are somewhat 
similar to loops. If transition t and place s form a loop, then firing t removes a 
token from s and returns it at the end; hence, this token is not available while 
t is firing. If t and s are connected by a read arc instead, then t checks for a 
token on s without actually using it; thus, other transitions might do the same 
while t is firing. For example, read arcs can model the concurrent reading of data. 
When we consider firing sequences only, read arcs and loops are interchangeable; 
when we consider concurrent behaviour or the progress assumption, they make 
a difference. It is shown in m that ordinary nets without read arcs cannot solve 
the MUTEX-problem. Read arcs have found quite some interest recently, see 
e.g. II9I6I14I1I and we include them for generality (in particular in the treatment 
of fairness) and because we need them in our applications. 

Section 2 defines Petri nets with read arcs and the operations on nets we 
will use to construct the MUTEX-solutions. Section 3 gives our definition of 
(weak) fairness in the sense of progress assumption, refines the resulting seman- 
tics to a precongruence for our operations and shows full abstraction. Section 4 
introduces partial S-invariants, shows how to combine them to S-invariants and 
presents the essential result for applying them for compositional reduction and, 
hence, in the fixed-point approach. Section 5 quotes from |2| the correctness def- 
inition for MUTEX-solutions and the symmetry result mentioned above. Section 
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6 shows how to use partial S-invariants in the fixed-point approach and proves 
two families of nets correct. For the second family, we use the tool FastAsy that 
compares the performance of asynchronous systems; the respective performance 
preorder is closely related to the precongruence we use in the present paper. We 
close with a discussion of related work in Section 7. 

Proofs often had to be omitted in this extended abstract; they will be pre- 
sented in a forthcoming report. 



2 Basic Notions and Operations for Petri Nets 
with Read Arcs 

In this section, we introduce Petri nets with read arcs, as explained in the intro- 
duction, and the basic firing rule. Then we define parallel composition, renaming 
and hiding for such nets and give some laws for these operations. The transitions 
of our nets are labelled with actions from some infinite alphabet S or with the 
empty word A; the latter represents internal, unobservable actions. 

Thus, a labelled Petri net with read arcs N = {S,T, F, R,l, M^) (or just a 
net for short) consists of finite disjoint sets S of places and T of transitions, the 
flow relation F C S xTUT x S consisting of (ordinary) arcs, the set of read arcs 
R C S xT, the labelling I : T ^ AUjA}, and the initial marking Mn : S — >■ INq; 
we require that {R U R~^) fl F = 0. The net is called ordinary, if i? = 0. 

We draw transitions as boxes, places as circles, arcs as arrows (as usual), and 
read arcs as lines (sometimes dashed) without arrow heads. As usual, nets Ni and 
N 2 are isomorphic, written A^i = N 2 , if there is some function that bijectively 
maps the places (transitions) of Ni to the places (transitions) of N 2 such that 
arcs, read arcs, labelling and initial marking are preserved. The alphabet a{N) 
of a net N is the set of all actions from S that occur as labels in N. 

For each x € S U T, the preset of x is = {y | (y,x) € F}, the postset of 
X is X* = {y I (x,y) £ F}, and the read set of x is x = {y | (y,x) £ RU 
If X £ *y n y* , then x and y form a loop. A marking is a function S -£ INg. 
We sometimes regard sets as characteristic functions, which map the elements 
of the sets to 1 and are 0 everywhere else; hence, we can e.g. add a marking and 
a postset of a transition or compare them componentwise. 

Our basic firing rule extends the firing rule for ordinary nets by regarding 
read arcs as loops: a transition t is enabled under a marking M, denoted by M\t), 
if U t < M. If M[t) and M' = M + t* — *t, then we denote this by M[t)M' 
and say that t can occur or fire under M yielding the marking M' . 

This definition of enabling and occurrence can be extended to finite sequences 
as usual by repeated application. An infinite sequence w of transitions is enabled 
under a marking M, denoted as above, if all its finite prefixes are enabled under 
M . We denote the set of finite sequences over a set X by X* , the set of infinite 
sequences by and their union by A°°. If ru G is enabled under the initial 
marking, then it is called a firing sequence. 

We can extend the labelling to sequences of transitions as usual, i.e. homo- 
morphically, which automatically deletes internal actions. With this, we lift the 
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enabledness and firing definitions to actions: a sequence v of actions from S is 
enabled under a marking M, denoted by M[v)), if there is some transition se- 
quence w with M[w) and l{w) = v; for finite v, M[v))M' is defined analogously. 
li M = Mm, then v is called a trace. 

A marking M is called reachable if Mm[w)M for some w G T*. The net is 
safe if M(s) < 1 for all places s and reachable markings M and if all transitions 
t satisfy *t yf 0; the latter can be ensured by adding a new marked loop to t. 

We are mainly interested in safe nets, but since we will construct safe nets 
from components that, considered in isolation, violate one or both of the required 
conditions, we develop our approach for general nets. 

Safe nets are without self-concurrency: A transition t is enabled self-concur- 
rently under a marking M, if U f < M — *t, i.e. if there are enough tokens to 
enable two copies of t at the same time. A net is without self- concurrency, if no 
transition t is enabled self-concurrently under a reachable marking M. 

Our parallel composition ||, where synchronization is over common actions, is 
not much different from TCSP-like composition used in H3], but makes notation 
lighter, and it is also used in m- If nets A^i and N 2 with A = a{Ni)r\a{N 2 ) are 
combined using ||, then they run in parallel and have to synchronize on actions 
from A. To construct the composed net, we have to combine each o-labelled 
transition t\ of with each a-labelled transition t 2 from N 2 if a G A; i.e., we 
take the disjoint union of A^i and N 2 , and then for each such pair, we introduce 
a new a-labelled transition (fi, ^ 2 ) that inherits the pre-, post- and read set from 
both, <1 and t 2 ', in the end, we delete all original transitions with label in A. 

Other important operators for the modular construction of nets are hiding 
and renaming, which bind stronger than parallel composition. Hiding A C A 
in N means changing all labels a G A to A; it results in iV/A; we write N/a 
instead of N/{a} for a single a G S. Similarly, w/A is obtained from a finite 
or infinite sequence w over A by removing all occurrences of actions from A. 
Clearly, N/A/B = N/{A U B); we will freely combine several applications of 
hiding into one or split one into several. 

Just as m, we use a relabelling that is a bit more general than usual; 
a relabelling function f maps actions from A to nonempty subsets of A and 
A to {A}. For a relabelling function /, let dom{f) = {a G A|/(a) {a}}, 

cod{f) = UaGdom(/) /(«) ^nd a(/) = dom{f) U cod{f). 

The relabelling N[f] of N is obtained from N by replacing each transition t 
with l{t) = a by as many copies as /(a) has elements and labelling each copy by 
the respective element; the copies are connected to the places just as t. 

For A C A, we set f{X) = UaGX /(®)^ = {« G A | f{a) fl 

X y^ 0}. We can extend / homomorphically to finite or infinite sequences over 
A such that each sequence is mapped to a set of sequences. 

Usually, a relabelling will map almost all a G A to {a} - we say it is the 
identity for these a; then, we will only list the exceptions together with their 
respective images in the form N[ai — >■ Ai, . . . , a„ — > A„]. Again, we omit the 
braces of A^, if it has only one element. Thus, N[a — >■ 5, 6 — {c, d}] is the net N 
with each a changed to b and each 5-labelled transition duplicated to a c- and a d- 
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labelled copy; for this relabelling function /, dom{f) = {a, 6}, cod{f) = {6, c, d} 
and a{f) = {a, 6, c, d}; furthermore, f{aceb) = {bcec,bced}. 

We now give some laws for our operations; basically the same were stated 
e.g. in dH, but for transition systems. These laws are based on isomorphism 
and should therefore hold whatever more detailed semantics one may choose, 
and they are true for the fairness based preorder introduced in the next section. 

Law 1 II N 2 ) II Ns = iVi || {N 2 || N 3 ) 

Law 2 Ni II N 2 = N 2 II Ni 

These laws will also be used freely without referencing them explicitly. 



Law 3 N[f][g] = N[f o g] 

Law 4 N/A = N/{A U B) 

Law 5a N[f]/A = N/A[f] 

Law 5b N[a — >■ B]/A = N/ {A U {a}) 
Law 6 (iVi II N 2 )[f] = Ni || N 2 [f] 

Law 7 (A^i 11 N 2 )/A = Ni || N 2 /A 
Law 8 (iVi II N 2 )[f] = Ni[f] || N 2 U] 
to fresh actions, i.e. /(a) is a singletor 
all a € dom{f), and for different a,b € 



where (/ o g){a) = UbG/(a) 9 {b) 

provided a{N)C\B = % 

provided A r\a{f) = 0 

provided B C A 

provided a{Ni) fl a{f) = 0 

provided a(A^i) fl >1 = 0 

provided / only renames some actions 

with /(a) n (a{Ni) U a{N 2 )) = 0 for 

dom{f), f{a) yf /(6) 



We can now derive a law for a-conversion, i.e. the renaming of actions that 
are bound by hiding (apply Law 4 for B = {6}, Law 5b for A = {6} and Law 8): 

Law 9 (A^i II N 2 )/a = (iVi[a — ?> b] || N 2 [a — >■ b])/b provided b ^ a{Ni) U a{N 2 ) 



3 Fair Semantics 

A semantics for specifying and checking liveness properties (‘something good 
eventually happens’) usually has to consider some sort of fairness. We will define 
a semantics that incorporates the progress assumption, also called weak fairness, 
i.e. the assumption that a continuously enabled activity should eventually occur. 

In |1 3| , we defined a fair semantics and determined the coarsest compositional 
refinement of it for safe nets. This result does not directly carry over to general 
nets, but it can be generalized when we use a slightly peculiar definition of 
fairness; we will discuss this peculiarity in detail after the definition. 



Fig. 1. 

But first, we have to discuss the impact of read arcs on the progress assump- 
tion. Classically, an infinite firing sequence Mjv[to)Afi[ti)M 2 . . . would be called 
fair if we have: if some transition t is enabled under all Mi for i greater than 
some j, then t = ti for some i > j. With this definition, the sequence of 
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infinitely many t’s would not be fair in the net of Figure Q since t' is enabled 
under all states reached, but never occurs. But, in fact, t' is not continuously 
enabled, since every occurrence of t disables it momentarily, compare mm- 
Thus, should be fair. On the other hand, if t were on a read arc instead of 
a loop, should not be fair: t would only repeatedly check the presence of a 
resource without actually using it. To model this adequately, we will require in 
the definition of fairness that a continuously enabled t is enabled also while each 
ti with i > j is firing, i.e. enabled under Mi — *ti. 

Definition 1 . For a transition t, a finite firing sequence Mjsf[to)Mi 
[ti)M2 ■ . . Mn is called t-fair, if M„ does not enable t. An infinite one 
. . . is called t-fair, if we have: For no j, t is enabled under 
all Mi — *ti for all i > j. If a finite or infinite firing sequence w violates the 
respective requirement, we say that t is eventually enabled permanently in w. 

A finite or infinite firing sequence is fair, if it is t-fair for all transitions t of 
N-, we denote the set of these sequences by FairFS{N). The fair language of N 
is the set Fair{N) = {u | u = l{w) for some w G FairFS{N)} of fair traces. 

What we require in the case of an infinite sequence is stricter than the more 
usual requirement that, if t is enabled under all Mi — *ti for i greater than some 
j, then t = ti for some i > j. For safe nets, these requirements coincide: 

Proposition 2 . Let N he a net without self-concurrency (or, in particular a safe 
net), t a transition and Mjv[to)Mi[ti)M2 ... an infinite firing sequence. Assume 
further that if t is enabled under all Mi — for i greater than some j, then 
t = ti for some i > j. Then this sequence is t-fair. 

In our constructions, we have to work with nets that may not be safe; but in 
the end, we are only interested in safe nets. Thus, it is of no particular importance 
what a fair firing sequence of an unsafe net is, and we can choose a definition 
that is technically convenient. This means here that we can obtain a fairness- 
respecting precongruence easily, i.e. in the same way as for safe nets. 

Next, we will determine the coarsest precongruence for parallel composition 
that respects fair-language-inclusion; this is just the right relation if we want to 
build systems compositionally and are interested in the fair language. Theorems^] 
and 13 generalize respective results of from safe nets to general nets. 

Definition 3 . A net is a fair implementation of a net N2, if a{Ni) = a{N2) 
and Fair{Ni\\N) C Fair{N2\\N) for all nets N. 

For a net N, the fair failure semantics is the set of the fair refusal pairs 
defined by TT{N) = {(■(;, A) | A C A and v = l{w) for some, possibly infinite, 
firing sequence w that is t-fair for all transitions t with l{t) G A U {A}}. 

We write Ai N2, if Ai and N2 have the same alphabet and tFtF{Ni) C 
J-J-{N2). If Ni N2 and N2 -A^i, we write Ai N2 and call the 
nets fair- congruent. 

The motivation for this definition is as follows: assume N\ is a fair implemen- 
tation of the specification N2, N2 is a component of a parallel system and we 
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replace this component by ; then we will get only fair behaviour that is allowed 
by N2, i.e. that is possible when N2 is used. The intuition for {v,X) G TT{N) 

is that all actions in X can be refused when v is performed - in the sense that 

fairness does not force performance of these actions; yet in other words, these 
actions are treated correctly w.r.t. fairness. 

For finite or infinite sequences u and v over E and A C if, u m r; is the 
set of all sequences w over E such that we can write u, v and w as sequences 
u = U\U2 ■ . V = V\V2 ■ ■ ■ and w = W1W2 ... of equal finite or infinite length such 
that for all suitable i = 1 , 2 , . . . one of the following cases applies: 

- Ui = Vi = WiG A 

- Ui = Wi G {E — A) and Vi = X 

- Vi = Wi G {E — A) and Ui = X 

In this definition, A’s are inserted into the decomposition of u and v to de- 
scribe the interleaving of actions from E — A, while actions from A are synchro- 
nized. 

Theorem 4 . For nets Ni and N2 with a{Ni) fl a{N2) = A we have 

EE{Ni\\N2) = I 3{v,,X,) G TT{Ni), * = 1,2 : 

V G and X C ((^1 U -^2) Fl A'j U {X^ n ^^2)} 

The proof of this theorem is similar to proofs that can be found e.g. in the 
full version of uni, and the proof is simpler than the proof of the corresponding 
Theorem 5.10 there. The crucial point, where the subtlety of our unusual fairness 
definition comes into play, concerns inclusion: when we construct (v,X) from 
(t>i, All) and (v 2 ,X 2 ) as described on the right hand side of the above equation, 
we combine firing sequences wi of and W2 of N2 to a firing sequence w of 
A^i||A^ 2 - Now consider a ‘combination’ transition (^ 1 ,^ 2 ) of iVi||iV 2 , and assume 
that ti occurs infinitely often in wi and ^2 in W2, i.e. they are both treated fairly 
according to the more standard definition. This does not ensure that (^1,^2) 
occurs in w at all. But if ti is repeatedly disabled in wi, then (^1,^2) is repeatedly 
disabled in w. 

Theorem 5 . i) For nets Ni and N2, Ni is a fair implementation of N2 if and 
only if Ni <j^j: N2- 

a) For nets with some fixed alphabet, inclusion of T T -semantics is fully 
abstract w.r.t. fair-language inclusion and parallel composition of nets, i.e. it 
is the coarsest precongruence for parallel composition that refines fair-language 
inclusion. 



Theorem 6 . The relation is a precongruence w.r.t. relabelling and hiding. 

In [I I . it is shown that for safe nets is decidable. Further, an operation 
is considered that will be of interest later. We define this operation, state that 
it preserves safety and quote a result from M 
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Definition 7. An elongation of N is obtained by choosing a transition t, adding 
a new unmarked place s and a new A-labelled transition t' with *t' = {s} and 
t'* — t* and, finally, redefining t* by f* := {s}. 



Theorem 8. If a net N 2 is an elongation of a net Ni, then one of the nets is 
safe if and only if the other one is; in this case, Ni 

We close this section with a notion, also taken from 113 (and similar to 
one used for ordinary failure semantics), that will make Definition II YI more sug- 
gestive. (v,X) G TT{N) means that N can perform v in such a way that all 
internal actions and all actions in X are treated fairly. Hence, iy,X) ^ TT{N) 
means that either N cannot perform v in such a way that all internal actions are 
treated fairly or it can, but whichever way it performs v, it treats some action 
in X unfairly. The latter means that some a: G X is continuously enabled from 
some point onward; if N is on its own, it certainly performs such an a: - but as 
a component of a larger system, N simply offers such an x. We therefore define: 

Definition 9. If for a net N and some {v,X) € x V{X) we have {v,X) ^ 
J-T{N), then we say that N surely offers (some action of) X along v. 

If N surely offers X along v and, in a run of a composed system, N as a 
component performs v while the environment offers in this run each action in 
X , then some action in X will be performed in this run. 

4 Partial S-Invariants 

Corresponding to the interests of this paper, we will only consider a restricted 
form of S-invariants (and consequently of partial S-invariants) defined as follows. 

Definition 10. Let X be a net; a set P of places has value n (under a marking 
M) if the places in P carry together n tokens under the initial marking (under 
M resp.). An S-invariant of X is a set P C S' of value 1 such that for every 
transition t we have \P fl *t| = |P fl f*|. 

A partial S-invariant of N with input I C a{N) and output O C a{N) is 
a set P such that for every transition t we have: if the label of t is in I, then 
|P n t* I — |P n *t\ = 1; if the label of t is in O, then |P fl *f| — |P fl f*| = 1; if the 
label of t is neither in I nor in O, then \P fl *t\ = |P fl t*|. We call such a P an 
(/, O, n)-invariant, if additionally P has value n. 

N is covered by S-invariants if each place is contained in an S-invariant. N 
is covered by partial S-invariants Pi, P 2 , . . . , Pn, if n = 0 and N is covered by 
S-invariants or n > 0 and each place is contained in an S-invariant or some Pi. 

For I C S, O X and n € INq, the {I, 0,n)~ component C{I,0,n) is a net 
consisting of a place s with n tokens, an i-labelled transition t with t* = {s} 
and *t U f = 0 for each i G I and an o-labelled transition t with *tUt= {s} and 
f* = 0 for each o G O. 
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We only use S'-invariants where we just count the places in the pre- and 
postset of a transition. In general S'-invariants, each place has a weight and, 
instead of counting as in \P fl *t|, one adds up the respective weights; thus, in 
our S-invariants this weight is always one. Furthermore, the value does not have 
to be 1 in general S'-invariants. Similarly, we just count places in the definition 
of partial S-invariants, and we restrict attention to the case where firing of a 
transition changes the value by 1, 0 or —1. There is no problem in generalizing 
the definition to weighted places and general changes, except that one would 
need arc weights to define the analogue of (/, O, n)-components. The following 
result is well-known and easy: 

Theorem 11. If P is an S-invariant of a net N , then P has value 1 under all 
reachable markings. If N is covered by S-invariants, then N is safe. 

Next, we state a number of properties regarding our new notions; their proofs 
are easy. (In particular, 4 follows from 3.) 

Proposition 12. 

1. If Pi is an {Ii,Oi,ni)-invariant ofNi, i = 1,2, such that IiC\l 2 = 0 = 0iC\02, 

then P 1 UP 2 is an ((/ 1 U/ 2 ) — (O 1 UO 2 ), {O 1 UO 2 ) — {IiLll 2 ),ni-\-n 2 )-invariant 
of N 1 WN 2 . In particular, P\ or P 2 can be 0, which is an -invariant. 

2. If Ni is covered by partial S-invariants Pn, Pi 2 , . . . , Pin, * = 1, 2, then iVi||A ^2 
is covered by the partial S-invariants Pn U P 2 i,P \2 U P 22 , ■ ■ ■ , Pin U P 2 n- 

3. An {%,%,!) -invariant is an S-invariant. 

4-. If N is covered by partial S-invariants Pi, P 2 , . . . , Pn, n > 0 and P\ is an 
(0, 0, 1) -invariant, then N is covered by partial S-invariants P 2 , . . . , Pn. 

5. C{I,0,n) is covered by an {I, 0,n) -invariant. 

Corollary 13. If N is covered by an (I, 0,n) -invariant and m S INq with m-\- 
n=l, then N\\C{0, 1 ,m) is safe. 

Proof. By E]5 and .2, N\\C{0, 1,m) is covered by a partial S-invariant that 
according to Part 1 is an (0,0, l)-invariant. By Part 4 N\\C{0,I,m) is covered 
by S-invariants and, thus, safe by HD □ 

Partial S-invariants and the notion of covering are also consistent with rela- 
belling and hiding in the following sense. 

Proposition 14. 

1. Let N be a net, a G S and A S, such that a{N) n A C {a}; let the 

relabelling f map a to A and be the identity otherwise. 

If P is an {1 ,0,n) -invariant of N, then P is an {f {I), f{0),n) -invariant 
of N[f]. If N is covered by partial S-invariants Pi, P 2 , . . . , Pn, then N[f] is 
covered by the same partial S-invariants. 

2. Let P be an {1, 0,n) -invariant of N that does not meet Af_ S, i.e. I C\ A = 
OC\A = 0. Then P is an (I, O, n)-invariant of N/A. If N is covered by partial 
S-invariants Pi, P 2 , . . . , Pn that do not meet A, then N/A is covered by the 
same partial S-invariants. 
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We close this section with the key result that will allow to insert some sort 
of interface description into a parallel composition; applications will be shown in 
Section 6. If N has an (J, O, n)-invariant, then C{I, O, n) is a sort of abstraction 
of N. Hence, adding it to N as parallel component does not change the behaviour: 
one can show that the firing sequences stay the same and, in such a sequence, a 
transition is eventually enabled permanently before if and only if it is after the 
addition. 

Proposition 15. If N has an {1,0, n) -invariant P, then N\\C {1,0, n) N. 

This proposition can be used to reduce some A^||iV' to a smaller fair-congruent 
net. It might even be that - while N' is quite manageable, in particular not too 
large - the precise definition of N and its size depend on a parameter, i.e. its size 
may be arbitrarily large. If we know at least that N has an {I, O, n)-invariant, 
then iV||7V' iV||C'(/, O, n)\\N' bvlT^a.nd IHl i.e. we can insert C{I, O, n) into 

the parallel composition; now we might be able to reduce C{1 ,0,n)\\N' in a 
way that would not be possible for N' in isolation; if the component C{I, O, n) 
perseveres (like a catalyst), we can remove it after the reduction. Corollary El 
describes this compositional reduction, also for the more general case of several 
partial S-invariants. Observe that El is also valid for language-equivalence or 
bisimilarity in place of fair-congruence; hence, partial S-invariants also support 
the reduction method if these congruences are used. 

In this method, C{I,0,n) is an interface description; it restricts the be- 
haviour of N' to what is relevant in iV||A^'. Important is that this interface 
description is verified on N syntactically, while the reduction deals with the be- 
haviour of N' only, and not with that of N. This is in contrast to [3, where 
some interface description is guessed, used in the reduction of N' to N” and 
then verified during the further reduction of A^||iV". The latter considers the 
behaviour of N, which is not possible in the fixed-point approach where N is 
parametric, i.e. not completely known. 

Corollary 16. 

1. Assume that N has an {1, 0,n) -invariant and C{I,0,n)\\N' 

C{I,0,n)\\N” orC{I,0,n)\\N'=rrN". Then N\\N' N\\N" . 

2. Assume N has some partial S-invariants, C is the parallel composition of the 
respective {1, 0,n)- components and C the parallel composition of just some 
of these. IfC\\N' C"||iV", then fV||7V' iV||fV". 

5 Liveness Properties of MUTEX-Solutions 

This section repeats necessary material from [2| regarding the correctness of 
MUTEX-solutions and introduces our first application example. First, based 
on the .FJ^-semantics, we will specify correctness with a safety and a liveness 
requirement. Safety requires that no two users are in their critical sections si- 
multaneously; if one user enters, then he must leave before another can enter. 
Our definition of liveness is explained after the definition; we only remark at 
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this point that a MUTEX-solution can only guarantee that each requesting user 
can enter his critical section, if in turn each user e.g. guarantees to leave after 
entering. 

Definition 17. We call a finite or infinite sequence over = {ri,€i,li\i = 
1, . . . ,n} legal if r,, and U only occur cyclically in this order for each i. An 
n-MUTEX net is a net N with l(T) C {r^, ei,li\i = 1, . . . , n} U {A}. 

Such a net is a eorreet n-MUTEX-solution, if N satisfies MUTEX-safety, i.e. 
e- and Z-transitions occur alternatingly in a legal trace, and satisfies MUTEX- 
liveness in the following sense. Let w S /* U be legal and 1 < f < n; then: 

1. Each €i in w is followed by an Z,, or N surely offers {Z^} along w. 

2. Assume each Cj is followed by Ij in w. Then either each is followed by 
or N surely offers X along w where X consists of those ej where some rj 
in w is not followed by Bj. 

3. Assume in w each rj is followed by Cj and each ej by Ij. Then either occurs 
and each Z^ is followed by another in w or surely offers {r^} along w. 

An n-MUTEX net N is used in a complete system consisting of N and its 
environment comprising the users, and these two components synchronize over 
In- The first part of MUTEX-liveness says that, if user i enters (performs 
together with the scheduler N), later tries to leave (enables an Zi-transition) 
and does not withdraw (does not disable the transition again), then he will 
indeed leave; otherwise li would be enabled continuously in the complete system 
violating fairness. (Technically, recall how the refusal sets of fair refusal pairs are 
composed according to Theorem^ the complete system is fair, i.e. E is refused, 
only if one of the components refuses h.) 

In other words, if user i does not leave again, then he is not willing to leave 
since h is offered to him. This is a user misbehaviour, but the behaviour of the 
scheduler N is correct. As a consequence, if N satisfies Part 1, we can assume 
that each ej is followed by Ij. Under this assumption, the second part of MUTEX- 
liveness says that each request of i is satisfied, unless some requesting user is 
permanently offered to enter. In the latter case, that user is misbehaving by not 
accepting this offer, and again N is working correctly. 

Now we can assume that each request is satisfied. Under this assumption, i 
requests infinitely often or N at least offers him to request. The latter is not a 
user misbehaviour because each user is free not to request again. 

The following is obvious from the definitions. 

Proposition 18. If Ni A ^2 o-nd N 2 satisfies MUTEX-safety, MUTEX- 

liveness resp., then also Ni satisfies MUTEX-safety, MUTEX-liveness resp. 

For token-passing solutions, MUTEX-safety is usually easy to prove with an 
S- invariant; for the two families of solutions we will treat, sufficient arguments for 
MUTEX-safety are given in ^j. Hence, we will concentrate on proving MUTEX- 
liveness, which is more difficult. As already mentioned, application of the fixed- 
point approach does not seem feasible, since the more users an n-MUTEX net 
has to serve, the more visible actions it has. 
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The essential result from Pj (Theorem 1201 below) states that, for so-called 
user-symmetric nets (see |2| for the precise definition), it is enough to check a 
version where only the actions of one user are visible. For our two families of 
solutions, 121 also gives sufficient arguments that each of their nets are user- 
symmetric. 

Our first family of solutions is attributed to Le Lann; each of its nets is a 
ring of components, one for each user. Figure 12Ka) shows the component LLV of 
the first user (except that the actions r, e and I should be indexed with 1). This 
user owns the access-token, the token on the right, while the other users look the 
same, except that they do not have this token. The first user can request access 
with r (i.e. by firing the r-labelled transition t^) and enter the critical section 
with e. When he leaves it with I, he passes the token to the next user, i.e. the 
/-transition must be merged with the p-transition of the next user; p stands for 
previous, the respective transition produces the access-token coming from the 
previous user. 

If the first user is not interested in entering the critical section, the token is 
passed by the n-transition to the next user; i.e. the n-transition must also be 
merged with the p-transition of the next user and then hidden. It is important 
that the n-transition checks the token on with a read arc, since this way 
the user is not prevented from requesting in a firing sequence with infinitely 
many checks. Intuitively, Le Lann’s solution is correct, since the access-token is 
always passed around, and if a user has requested and the token reaches his ring 
component, the user will enter and leave his critical section before passing the 
token on. 

For a Le-Lann-ring built as just explained, it should be clear that after firing 
the n-transition we get a symmetric marking where the second user owns the 
access-token. 



(a) 




(b) 




Fig. 2. 

We next define the first-user view of a solution. For this we assume that each 
user except the first one has a standard behaviour modelled by the Tth standard 
user SUi shown in Figure 0(b): when non-critical, such a user works internally 
or requests; after requesting, he enters and leaves as soon as possible. Then we 
abstract away all visible behaviour of these users with a suitable hiding. 
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Definition 19. The first-user view FUV{N) of a net N is 
(iV||(5C/2|| . . . ll^C/n))/ {n, e,,h\i = 2 ,..., n}. 

The first-user view of Le Lann’s ring is a ring where the first component looks 
like LLU in Figure EJ a), while all other components are the composition of LLU 
(with actions suitably indexed with i) and SUi, i.e. they look essentially like LSU 
in (c). Actually, the labelling is different, but it has been chosen in Figure Elsuch 
that we can directly construct the first-user view of each Le-Lann-ring from LL U 
and a suitable number of copies of LSU; also, LSU should have two additional 
unmarked places from SUi, which are omitted since they are simply duplicates 
in LSU . We only have to study the first-user views due to the following theorem. 

Theorem 20. Assume that a safe n-MUTEX net N is user-symmetric and 
satisfies MUTEX-safety. Then, N is a correct n-MUTEX solution if FUV {N) 
is a correct 1-MUTEX solution. 

6 Correctness Proofs 

In this section, we will develop the fixed-point approach for two families of 
solutions to the MUTEX-problem already discussed in P). In both, an access- 
token is passed around which guarantees mutual exclusion. 

6.1 Le Lann’s Ring 

We first describe formally how the first-user view of a Le-Lann-ring as explained 
in the previous section can be constructed from LLU and several copies of LSU , 
which are shown in Figure El We first define the ‘Le-Lann-chain’ LLCn induc- 
tively, which is a chain of n copies of LSU . 

LLCi = LSU 

LLCn+i = {LSU[n -)> p']\\LLCn[p p'])/p' 

This chain has one n-labelled transition, which moves the access-token to the 
chain, and two p-labelled transitions ‘at the other end’, which remove the access- 
token from the chain. Clearly, this net is not safe, since the n-labelled transition 
can fire several times in a row. Now we close these chains to rings with LLU: 

LLn = {LLU\\LLCn-i[n -)> {l,n}]) / {p,n} 

We first observe: 

Proposition 21. 

1. LSU is covered hy an {{n},{p'\,Q) -invariant. LLU is covered by a 
({p}, {Z, n}, l)-invariant. 

2. Eor all n, LLCn is covered by an {{n} , {p} , 0) -invariant and has alphabet 
{n,p}. 

3. LLn is safe for all n. 
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Proof. 1. There are two circuits in LSU, each containing one of the marked 
places; they are S-invariants. The places on the two paths from the n-labelled to 
the two p-labelled transitions form an ({n}, {p}, 0)-invariant. The case of LLU 
is very similar. 

2. The claim about the alphabet follows by an easy induction. The first claim 
can also be shown by induction, where i = l follows from 1. By 1. and IT^l and 
induction, LSU[n — p'] is covered by a {{p'}, {p}, 0)-invariant and LLCn[p — t p'] 
is covered by an ({n}, {p'}, 0)-invariant. Thus, by Ell and .2 and 02, LLCn+i 
is covered by an ({n}, {p}, 0)-invariant. 

3. By 1., LLU is covered by a ({p}, {Z, n}, l)-invariant. By 2. a.nd PRlI (ob- 
serve that I ^ a{LLCn-i)), LLCn-i[n — t is covered by an ({?, n}, {p}, 0)- 

invariant. Now by Ell and .2, LLU\\LLCn-i[n — t {l,n}] is covered by an 
(0,0,1), and by02,El4 and m LLn is safe. □ 

From the observations in |E] - underpinned by the safeness just shown - 
we can apply Theorem EDI to each Le-Lann-ring assuming that MUTEX-safety 
is satisfied; it is planned to refine the notion of partial S-invariant such that 
it supports the proof of MUTEX-safety. Hence, it remains to prove that LLn 
satisfies MUTEX- liveness, where we identify r, e and I with ri, ci and h; this 
has already been shown for n = 2, 3, 4 in (21. We start with two lemmata. 




Fig. 3. 



Lemma 22. LS'U[n p'] ||C'({p}, {p'}, 1) C({p'}, {p}, 0)||C({p}, {p'}, 1) 

The left-hand-side net is shown in Figure 01 the right-hand-side net is simply 
a circuit with a p'- followed by a p-transition; we omit the proof. The next lemma 
shows how to reduce one LS'U-component. This only works due to the presence 
of C, which will arise from a partial S-invariant in the proof of Theorem C 
also ensures safeness of the nets the lemma deals with. 

Lemma 23. Let C = C({/, n}, {p'}, 0); then {LLU\\LSU[n — >■ p'])/p || C =j=j= 
LLU\p^p'\\\C. 

Proof. By Law 7, {LLU\\LSU[n — >■ p'])/p || C {LLU\\LSU[n — >■ p']\\C)/p. 
Now LLU has a ({p}, {Z, n}, l)-invariant by |^1, C has a {{l,n},{p'},0)~ 
invariant by El 5 and, hence, their parallel composition has a ({p}, {p'}, 1)- 
invariant byE|l- Thus, applying Corollary El we can reduce LSU[n — >■ p'] to 
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C{{p'},{p},0) and arrive at {LLU\\C{{p'} , {p} ,0)\\C) /p, which by Law 7 again 
is fair-congruent to {LLU\\C{{p'},{p},0))/p || C. In the latter net, the unique 
p'-labelled transition has as postset the place of C{{p'}, {p},0), which in turn 
has an internal transition as postset; now one sees that the net is simply an elon- 
gation of the right-hand-side net in the lemma, and we are done by Theorem 0 

□ 

Now we can apply the central Corollary El again to obtain the fixed-point 
result and the correctness we are aiming for in this subsection. 

Theorem 24. For n > 2, LLn LLn-i- For n > 1, Le Lann’s ring is a 

correct MUTEX-solution. 

Proof. Once we have shown the congruence, we have that each LL„ is fair- 
congruent to LL 2 , which has been shown to satisfy MUTEX- liveness in |2|. 
Hence, each LL„ satisfies MUTEX-liveness by UHl and the second part follows 
with Theorem Em as explained above. 

Thus, we will transform 

LLn = {LLU II {LSU[n -)■ p']\\LLCn-2[p -t p']) /p'[n -t {^,n}]) /{p,n} 

preserving fair-congruence. First, we can commute the hiding of p' with the 
following renaming by Law 5a and move it out of the outer brackets by Law 7 
(since p' ^ a(LLU)) obtaining 

{LLU II {LSU[n p']\\LLCn-2[p -t p']) [n -)> {^,n}]) /{p',p,n}. 

Since l,n ^ a{LSU[n — > p']), we can move the right-most renaming to the left 
by Law 6; since the resulting component L = LLCn- 2 [p — t p'][n {l,n}] does 

not have p in its alphabet due to renaming, we can apply Law 7 to move fp and 
get 

{{LLU\\LSU[n p'\/p) || LLCn- 2 [p -t p'][n -t {^,n}]) /{p',n}. 

The component L has an ({^, n}, {p'}, 0)-invariant by propositions |E2 and 
El 1 • With Lemma E31 and Corollary El we obtain 

{LLU[p^p'] II LLCn- 2 [p ^ p'][n ^ {l,n}]) /{p',n}. 

By Law 3, we can commute the second renaming with the third one and then 
suppress it by Law 9; with the definition we arrive at LLn-i- □ 

6.2 Dijkstra’s Token-Ring 

The second MUTEX-solution we want to consider is Dijkstra’s token ring ^ ; we 
will describe the first-user view of such a ring analogously to the above. Figure El 
shows the component DU of the first user who owns the access-token on place 
tok. In Dijkstra’s token ring, the user keeps the token when leaving the critical 
section, so he can use it repeatedly until an order for the token is received (action 
ro) from the next component; observe the read arc from the now unmarked 
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place no (no order). Then the token is sent (action st) to the next component, 
say clockwise. Now m is marked, indicating that this component misses the 
token. If the user requests again, an order is sent (upper so-transition) counter- 
clockwise to the previous component. Alternatively, the token might have moved 
on clockwise from the next component such that another order is received from 
this component (ro) and forwarded counter-clockwise (lower so-transition) . If 
consequently a token is received (rt) from the previous component, a request is 
served in case one is pending or otherwise the token is forwarded (st). 

The other components DSU of the first-user view are obtained similarly as 
above, although this time we keep the actions for the ring communication as 
they are - in this case so, ro, st and rt. In detail: to get DSU from DU we hide 
r, e and I and move the token on tok to m; and we duplicate the place nc, but 
without the read arc and with an internal loop transition instead; compare the 
black part of Figure El below. Now we define a chain DCn and a ring DTRn as 
in the previous subsection, taking the first user component as chain of length 1 
this time. 

DCi = DU 

DCn+i = {DCn[ro — >■ o, st — >■ t]\\DSU[so o,rt ^ t\)/{o, t} 

Such a chain has actions r, e, I, so and rt ‘at one end’ and ro and st ‘at the 
other end’. We close it to a ring with DSU: 

DTRn = {DCn-i[ro — >■ so, so — >■ ro, rt — >■ st, st — >■ rt] || DSU)/ {so, ro, st, rt} 

Again, we will reduce a sequence of components (this time all of type DSU) 
to a shorter one. Interestingly, we have to reduce a sequence of length 3, because 
reducing 2 components to 1 cannot work: in a sequence of 2 components, the 
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first one can receive the token, send it to the second component internally and - 
since it is missing the token now - send an order as the next visible action; thus, 
it performs rt so in sequence. This is not possible for one component, which after 
receiving the token must send it on (st) before performing so. 

Since this more complicated application example is difficult to treat by hand, 
application of a tool is advisable. Since a tool for deciding fair (pre)congruence 
was not available, a tool for a related precongruence was used; this made some 
ad-hoc measures necessary as described below. 

We make use of two partial S-invariants which we give now. DU is covered 
by the ({rt}, {st}, l)-invariant {gt, c,tok} making use e.g. of the S-invariant P = 
{c,tok,m,ord,ord'}, and it also has the ({rt}, {so}, 0)-invariant {gt,cUok,m}. 
Use of this second partial S-invariant is not really necessary, but it slightly 
simplifies the behaviour of the nets below, and it makes a little smaller the 
reachability graphs the tool has to deal with. 

Similarly to DU, DSU is covered by an ({rt}, {st}, 0)-invariant, and it also 
has an ({rt}, {so}, l)-invariant. With induction, one shows from this that DCn 
is covered by an ({rt}, {st}, l)-invariant and has an ({rt}, {so}, 0)-invariant. A 
first consequence is then that each DTRn is safe. 

Formally, we will reduce D^ to D 2 with the following definitions: 

Z?2 = {DSU[ro o, st ^ t] II DSU [so — >■ o, rt — >■ t])/{o, t} 

Z?3 = (I?2[ro — >■ o, st — >■ t] II DSU[so o,rt ^ t])/{o,t} 

It is not surprising that D 2 (in a composition according to the above partial 
S-invariants, i.e. with C = (^({st}, {rt}, l)||C({so}, {rt}, 0)) reacts faster than 
Z?3, and we have verified this with FastAsy according to the notion of faster- 
than explained e.g. in 0. (For this step, the help of Elmar Bihler is gratefully 
acknowledged.) As described in this implies fair precongruence, where in the 
present setting we additionally check that the two nets have the same alphabet. 

Also, we have essentially verified (again with FastAsy) that D3 is faster than 
an elongation of D 2 - This elongation concerns the transition that, in the sec- 
ond U^U-component, represents leaving the critical section and the ro-labelled 
transition; this slows down the reactions of st and so. Together, the verification 
results imply fair congruence. 

More precisely, in order to perform the second verification step with FastAsy, 
the additional DSU -component of D3 was replaced by the following net DSU' 
(just as the additional TS'CI-component was transformed in Lemma E2). Figure El 
shows in black DSU || C; DSU' is DSU with the additional grey transition sc, 
which is some shortcut, hence the full figure shows DSU' || C. The following 
lemma states the correctness of this replacement, whose proof we have to omit. 
The essential problem is that a firing sequence of DSU || C that is fair to all 
internal transitions can fire in DSU' || C , but it might fail to be sc-fair. 

Lemma 25. Let C = C({st}, {rt}, 1) || C({so}, {rt}, 0); then we have 
DSU II C =j.jr DSU' II C. 

As described above, we have obtained the following lemma - using LemmaEni 
and FastAsy: 
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Fig. 5. 



Lemma 26. With C as above, || C D 2 || C. 

We now proceed as in the proof of Theorem ^ We unfold DTRn +3 by 
definition such that we can isolate in it and then apply the reduction that 
is possible due to the above partial S-invariants and Lemma E3 Thus, we can 
show 

DTRn +3 = {DCn[ro ^ so,so ^ ro,rt ^ st,st ^ rt] \\ D 3 )/{so,ro,st,rt} 
=TT {DCn [ro — >■ so, so — >■ ro, rt — >■ st, st — >■ rt] || D 2 )/ {so, ro, st, rt} 
= DTRn+2- 



This way, we can reduce rings with at least 4 components to DTR 3 , DTR 3 and 
DTR 2 were shown to satisfy MUTEX-liveness in |2|. This finishes our second 
application: 

Theorem 27. For n > 3, DTR^ DTR^-i- For n > 1, Dijkstra’s token 
ring is a correct MUTEX-solution. 



7 Conclusion and Related Literature 

In this paper, we have defined partial S-invariants for a setting where nets are 
composed by merging transitions - modelling a parallel composition with syn- 
chronous communication. We have shown how to derive from partial S-invariants 
of the components (partial) S-invariants and safety of composed nets. As already 
mentioned, this is analogous to the partial S-invariants of |H1 for a setting where 
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nets are composed by merging places. More importantly, we have shown how 
partial S-invariants give rise to interface descriptions that can be useful in com- 
positional reduction. 

We have applied this idea to show the correctness of two families of MUTEX- 
solutions based on token rings - exploiting also a vital symmetry result from |5|. 
In this application, we have shown that two (three resp.) components of these 
rings are equivalent to one (two resp.) component(s) in the proper context, which 
is derived from partial S-invariants . (The reduction of three to two components 
was verified using the tool FastAsy, which compares performance of asynchronous 
systems.) Thus, for each of the two families each member is equivalent to a small 
member; hence, correctness of this small net shown in |2| carries over to the full 
family. This approach is called behavioural fixed-point approach in m- The 
equivalence we have used is the coarsest congruence for the operators of interest 
respecting fair behaviour in the sense of progress assumption. 

Interface descriptions for compositional reduction of some system A^|| A^' have 
been studied in |^: there, some interface description is guessed, used in the re- 
duction of N' to N” and then verified during the further reduction of A^||iV". 
The last step considers the behaviour of N, and this is not feasible in the fixed- 
point approach where N is the rest of the ring, i.e. not fixed. In contrast, partial 
S-invariants give verified interface descriptions; we have derived them with induc- 
tion from a syntactic inspection of the ring components, i.e. without considering 
their behaviour by constructing a reachability graph and possibly encountering 
a state explosion. The latter points out the potential use of partial S-invariants 
in compositional reduction in general. 

The fixed-point approach is very similar to the approach in m there, a pre- 
order is used instead of an equivalence; an invariant (or representative) process 
I has to be found manually, and then it is checked that P is less than / and that, 
whenever some Q is less than J, P\\Q is less than I. This implies that the com- 
position of any number of components P is less than /; with a suitable preorder 
and I, this implies that some relevant properties hold for all these compositions. 
As an example, MUTEX-safety of a version of Le Lann’s ring is shown. More 
generally, Pj considers networks that might be built from various different types 
of components according to a network grammar, and a representative for each 
type is used. As an example, MUTEX-safety of Dijkstra’s token ring is shown. 

An important point is that the referenced papers use labelled transition sys- 
tems while we use Petri nets that in themselves are usually smaller; this is in 
particular an advantage when determining partial S-invariants. Also, they al- 
low to consider the subtleties of the progress assumption (i.e. the difference 
between loops and read arcs). Hence, we use a behavioural equivalence that 
takes the progress assumption into account, in contrast to the above papers that 
use failure-inclusion m, a refinement thereof mi or a simulation preorder 0. 
Liveness properties often only hold under the progress assumption. 

It is planned to verify also the third family of MUTEX-solutions considered 
in P|. The problem is that in this family data from an infinite set are used 
(unique identifiers for the components), and it has to be checked whether these 
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systems can be considered as data-independent in some sense. An interesting 

case study involving data-independence and a reduction as in m and 0 can 
be found in | 7 |. 
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